Fix changes to pqc header file rename#501
Open
aidangarske wants to merge 4 commits intowolfSSL:masterfrom
Open
Fix changes to pqc header file rename#501aidangarske wants to merge 4 commits intowolfSSL:masterfrom
aidangarske wants to merge 4 commits intowolfSSL:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates wolfTPM’s PQC (TPM 2.0 v1.85 / ML-KEM) integration to match an upstream wolfSSL header rename (mlkem.h → wc_mlkem.h), preventing --enable-pqc/--enable-v185 configure/build failures with current wolfSSL.
Changes:
- Switch ML-KEM includes in fwTPM code and tests to
wolfssl/wolfcrypt/wc_mlkem.h. - Update
configure.acfeature probes (AC_CHECK_DECL) and comments to referencewc_mlkem.h. - Simplify the ML-KEM include selection logic in
src/tpm2_wrap.c.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
configure.ac |
Updates ML-KEM configure-time probes to include wc_mlkem.h. |
src/tpm2_wrap.c |
Replaces mlkem.h usage with wc_mlkem.h / ext_mlkem.h selection. |
src/fwtpm/fwtpm_crypto.c |
Updates fwTPM PQC include to wc_mlkem.h. |
tests/fwtpm_unit_tests.c |
Updates unit test ML-KEM include to wc_mlkem.h. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dgarske
previously approved these changes
May 8, 2026
… upstream-drift CI configure.ac: add LIBWOLFSSL_VERSION_HEX check so --enable-v185/--enable-pqc fails fast against unsupported wolfSSL releases (kyber.h era), instead of relying on transitive header aliasing through wc_mlkem.h. Add .github/workflows/wolfssl-versions.yml matrix: builds wolfTPM PQC against wolfSSL v5.8.0-stable, v5.8.4-stable, v5.9.1-stable, and master. Catches the next upstream rename within the matrix run, not 9 days later. Add .github/workflows/nightly.yml: cron 02:17 UTC fan-out via repository_dispatch[nightly-trigger]. 12 workflows opt in (cmake-build, codespell, fwtpm-test, make-test-swtpm, multi-compiler, pqc-examples, release-checks, sanitizer, seal-test, win-test, wolfssl-versions, zephyr). hw-spdm-test deliberately does NOT opt in so the self-hosted Pi runner cannot be batch-triggered. repository_dispatch is API-only (no UI button) so only the nightly job can fire these.
…o shim Three small workarounds let wolfTPM PQC build + run cleanly against every wolfSSL stable since v5.8.0, instead of requiring v5.9.0+: * src/fwtpm/fwtpm_crypto.c (FwVerifySignatureCore): cast sig->signature.rsapss.sig.buffer to (byte*)(uintptr_t) so the call compiles against v5.8.0 (where wc_RsaPSS_VerifyCheck takes byte*) AND v5.8.4+ (where it takes const byte*). Cast is a no-op on the const path. * src/fwtpm/fwtpm_crypto.c (FwMlkemDecapsulate): for LIBWOLFSSL_VERSION_HEX < 0x05009000, encode the public key once before wc_MlKemKey_Decapsulate. wolfSSL <= v5.8.4 has a Decap-from-seed bug (commit 8a75e7d1c "ML-KEM decapsulate: check for H" landed in v5.9.0): Decap needs H = hash(pubkey) cached on the key, but MakeKeyWithRandom from seed never populated it. EncodePublicKey triggers the cache as a side effect. * wolftpm/tpm2_types.h: when LIBWOLFSSL_VERSION_HEX < 0x05008004, define a static-inline wc_ForceZero (volatile byte-wise zero, mirroring wolfssl/wolfcrypt/src/misc.c::ForceZero). wc_ForceZero was first declared in wolfssl/wolfcrypt/memory.h at v5.8.4. Lives in tpm2_types.h so all callers (SPDM, PQ examples, etc.) get it without per-file shims. Add v5.8.2 and v5.9.0 to wolfssl-versions.yml matrix so the boundaries of every workaround are covered: 5 stable versions (v5.8.0, v5.8.2, v5.8.4, v5.9.0, v5.9.1) + master. Locally validated: all 6 pass build + fwtpm_unit.test (PQC KAT block).
dgarske
requested changes
May 8, 2026
Make it explicit that this matrix is PQC-only. Other wolfTPM workflows (fwtpm-test.yml, make-test-swtpm.yml, pqc-examples.yml) already cover core wolfTPM build/test against wolfSSL master.
aidangarske
force-pushed
the
fix-upstream-pqc
branch
from
4a56b7d to
43c73ff
Compare
dgarske
requested changes
May 8, 2026
| wolfssl-ref: 'v5.8.0-stable' | ||
| cache-key: 'wolfssl-pqc-v5.8.0-v1' | ||
| # Latest stable: workarounds gated off via VERSION_HEX. | ||
| - wolfssl-version: 'v5.9.1-stable' |
Member
There was a problem hiding this comment.
We need a dynamic way to get the latest -stable tag...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
v5.8.0, v5.9.0, masterwith PQC to validate support