Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/build-workflow.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ jobs:
working-directory: ./wolfssl
run: |
./configure --enable-cryptocb --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt --enable-md5 \
--enable-mldsa C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -DHAVE_AES_KEYWRAP"
--enable-mldsa --enable-lms --enable-xmss C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -DHAVE_AES_KEYWRAP"

@philljj philljj Jul 17, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these workflows be testing --enable-lms=verify-only --enable-xmss=verify-only for now?

It wouldn't surprise me if long term verify-only is the use case vast majority of XMSS/LMS users are interested in.

LMS/XMSS verify-only has very attractive features (it can be incredibly lean, has no math library dependency, etc). In other words, consider verify-only LMS/XMSS an option to support and test rather than a feature deficiency.

Signing would require integration with a hardware HSM.

- name: wolfssl make install
working-directory: ./wolfssl
run: make
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/cmake.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,8 @@ jobs:
-DWOLFSSL_SHA:BOOL=yes -DWOLFSSL_SHA224:BOOL=yes -DWOLFSSL_SHA3:STRING=yes -DWOLFSSL_SHA384:BOOL=yes \
-DWOLFSSL_SHA512:BOOL=yes -DWOLFSSL_SHAKE128:STRING=yes -DWOLFSSL_SHAKE256:STRING=yes \
-DWOLFSSL_SP_MATH_ALL:BOOL=yes -DWOLFSSL_X86_64_BUILD_ASM:BOOL=yes -DWOLFSSL_MLKEM=1 \
-DWOLFSSL_LMS=1 -DWOLFSSL_LMSSHA256192=1 -DWOLFSSL_DILITHIUM:BOOL=yes -DWOLFSSL_PUBLIC_MP:BOOL=yes \
-DWOLFSSL_LMS=1 -DWOLFSSL_LMSSHA256192=1 -DWOLFSSL_XMSS=1 \
-DWOLFSSL_DILITHIUM:BOOL=yes -DWOLFSSL_PUBLIC_MP:BOOL=yes \
-DWOLFSSL_WC_RSA_DIRECT:BOOL=yes -DCMAKE_BUILD_TYPE=Release \
..
cmake --build .
Expand All @@ -64,6 +65,7 @@ jobs:
-DWOLFPKCS11_AESECB:BOOL=yes -DWOLFPKCS11_AESCTS:BOOL=yes -DWOLFPKCS11_AESCMAC:BOOL=yes \
-DWOLFPKCS11_PBKDF2:BOOL=yes -DWOLFPKCS11_SHA3:BOOL=yes -DWOLFPKCS11_PKCS11_V3_0:BOOL=yes \
-DWOLFPKCS11_PKCS11_V3_2:BOOL=yes -DWOLFPKCS11_MLDSA:BOOL=yes -DWOLFPKCS11_MLKEM:BOOL=yes \
-DWOLFPKCS11_LMS:BOOL=yes -DWOLFPKCS11_XMSS:BOOL=yes \
-DCMAKE_MODULE_PATH="$GITHUB_WORKSPACE/install/${CMAKE_INSTALL_LIBDIR}" \
..
cmake --build .
Expand Down
16 changes: 16 additions & 0 deletions .github/workflows/unit-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,22 @@ jobs:
uses: ./.github/workflows/build-workflow.yml
with:
config: --enable-mlkem
lms:
uses: ./.github/workflows/build-workflow.yml
with:
config: --enable-lms
xmss:
uses: ./.github/workflows/build-workflow.yml
with:
config: --enable-xmss
lms_xmss:
uses: ./.github/workflows/build-workflow.yml
with:
config: --enable-lms --enable-xmss
lms_xmss_static:
uses: ./.github/workflows/build-workflow.yml
with:
config: --enable-lms --enable-xmss --disable-shared
debug:
uses: ./.github/workflows/build-workflow.yml
with:
Expand Down
57 changes: 57 additions & 0 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -509,6 +509,54 @@ if(WOLFPKCS11_MLKEM)
list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_MLKEM")
endif()

# LMS/HSS (RFC 8554) verify + public-key import (default: disabled)
add_option("WOLFPKCS11_LMS"
"Enable wolfPKCS11 LMS/HSS verification and public-key import (default: disabled)"
"no" "yes;no"
)

if(WOLFPKCS11_LMS AND NOT WOLFPKCS11_SHA256)
message(STATUS "LMS/HSS requires SHA-256 support (disabled); disabling WOLFPKCS11_LMS")
override_cache(WOLFPKCS11_LMS "no")
endif()

if(WOLFPKCS11_LMS)
if(NOT WOLFPKCS11_PKCS11_V3_2)
message(STATUS "LMS/HSS requires PKCS#11 v3.2 support — enabling WOLFPKCS11_PKCS11_V3_2 automatically")
override_cache(WOLFPKCS11_PKCS11_V3_2 "yes")
if(NOT WOLFPKCS11_PKCS11_V3_0)
override_cache(WOLFPKCS11_PKCS11_V3_0 "yes")
list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_PKCS11_V3_0")
endif()
list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_PKCS11_V3_2")
endif()
list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_LMS")
endif()

# XMSS/XMSS^MT (RFC 8391) verify + public-key import (default: disabled)
add_option("WOLFPKCS11_XMSS"
"Enable wolfPKCS11 XMSS/XMSS^MT verification and public-key import (default: disabled)"
"no" "yes;no"
)

if(WOLFPKCS11_XMSS AND NOT WOLFPKCS11_SHA256)
message(STATUS "XMSS requires SHA-256 support (disabled); disabling WOLFPKCS11_XMSS")
override_cache(WOLFPKCS11_XMSS "no")
endif()

if(WOLFPKCS11_XMSS)
if(NOT WOLFPKCS11_PKCS11_V3_2)
message(STATUS "XMSS requires PKCS#11 v3.2 support — enabling WOLFPKCS11_PKCS11_V3_2 automatically")
override_cache(WOLFPKCS11_PKCS11_V3_2 "yes")
if(NOT WOLFPKCS11_PKCS11_V3_0)
override_cache(WOLFPKCS11_PKCS11_V3_0 "yes")
list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_PKCS11_V3_0")
endif()
list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_PKCS11_V3_2")
endif()
list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_XMSS")
endif()


# If wolfpkcs11/options.h exists, delete it to avoid
# a mixup with build/wolfpkcs11/options.h.
Expand Down Expand Up @@ -728,6 +776,15 @@ if(WOLFPKCS11_TESTS)
add_wpkcs11_test(${test_target}
${CMAKE_CURRENT_SOURCE_DIR}/tests/${test_target}.c)
endforeach()

# HBS (LMS/HSS, XMSS/XMSS^MT) public-key persistence test. Only built when
# the feature is enabled; the test exits 77 (skip) when no token store is
# available, so treat that as a skip rather than a failure.
if(WOLFPKCS11_LMS OR WOLFPKCS11_XMSS)
add_wpkcs11_test(hbs_persistence_test
${CMAKE_CURRENT_SOURCE_DIR}/tests/hbs_persistence_test.c)
set_tests_properties(hbs_persistence_test PROPERTIES SKIP_RETURN_CODE 77)
endif()
endif()

if(WOLFPKCS11_EXAMPLES)
Expand Down
4 changes: 4 additions & 0 deletions cmake/options.h.in
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,10 @@ extern "C" {
#cmakedefine WOLFPKCS11_MLDSA
#undef WOLFPKCS11_MLKEM
#cmakedefine WOLFPKCS11_MLKEM
#undef WOLFPKCS11_LMS
#cmakedefine WOLFPKCS11_LMS
#undef WOLFPKCS11_XMSS
#cmakedefine WOLFPKCS11_XMSS
#undef WOLFPKCS11_TPM
#cmakedefine WOLFPKCS11_TPM
#undef WOLFPKCS11_NSS
Expand Down
61 changes: 61 additions & 0 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -566,6 +566,65 @@ then
AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_MLKEM"
fi

# LMS/HSS (RFC 8554) verification and public-key import. Requires wolfSSL
# built with --enable-lms (WOLFSSL_HAVE_LMS). Sign/keygen are a separate,
# later feature; this flag provides verify + public-key import only.
AC_ARG_ENABLE([lms],
[AS_HELP_STRING([--enable-lms],[Enable LMS/HSS verification and public-key import (default: disabled)])],
[ ENABLED_LMS=$enableval ],
[ ENABLED_LMS=no ]
)

if test "$ENABLED_SHA256" = "no"
then
if test "$ENABLED_LMS" = "yes"; then
echo "LMS/HSS requires SHA-256 support (disabled), disabling LMS/HSS"
fi
ENABLED_LMS=no
fi

if test "$ENABLED_LMS" = "yes"
then
if test "$ENABLED_PKCS11V3_2" = "no"; then
ENABLED_PKCS11V3_2=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_PKCS11_V3_2"
if test "$ENABLED_PKCS11V3_0" = "no"; then
ENABLED_PKCS11V3_0=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_PKCS11_V3_0"
fi
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_LMS"
fi

# XMSS/XMSS^MT (RFC 8391) verification and public-key import. Requires wolfSSL
# built with --enable-xmss (WOLFSSL_HAVE_XMSS). Verify + public-key import only.
AC_ARG_ENABLE([xmss],
[AS_HELP_STRING([--enable-xmss],[Enable XMSS/XMSS^MT verification and public-key import (default: disabled)])],
[ ENABLED_XMSS=$enableval ],
[ ENABLED_XMSS=no ]
)

if test "$ENABLED_SHA256" = "no"
then
if test "$ENABLED_XMSS" = "yes"; then
echo "XMSS requires SHA-256 support (disabled), disabling XMSS"
fi
ENABLED_XMSS=no
fi

if test "$ENABLED_XMSS" = "yes"
then
if test "$ENABLED_PKCS11V3_2" = "no"; then
ENABLED_PKCS11V3_2=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_PKCS11_V3_2"
if test "$ENABLED_PKCS11V3_0" = "no"; then
ENABLED_PKCS11V3_0=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_PKCS11_V3_0"
fi
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_XMSS"
fi


AM_CONDITIONAL([BUILD_STATIC],[test "x$enable_shared" = "xno"])

Expand Down Expand Up @@ -755,6 +814,8 @@ echo " * ECC: $ENABLED_ECC"
echo " * HKDF: $ENABLED_HKDF"
echo " * ML-DSA: $ENABLED_MLDSA"
echo " * ML-KEM: $ENABLED_MLKEM"
echo " * LMS/HSS verify: $ENABLED_LMS"
echo " * XMSS/XMSS^MT verify: $ENABLED_XMSS"
echo " * NSS modifications: $ENABLED_NSS"
echo " * Default token path: $WOLFPKCS11_DEFAULT_TOKEN_PATH"
echo " * PKCS#11 Version 3.0: $ENABLED_PKCS11V3_0"
Expand Down
Loading
Loading