C# Wrapper: ML-KEM and ML-DSA (Dilithium) Support#10191
Merged
SparkiDev merged 4 commits intowolfSSL:masterfrom Apr 14, 2026
Merged
C# Wrapper: ML-KEM and ML-DSA (Dilithium) Support#10191SparkiDev merged 4 commits intowolfSSL:masterfrom
SparkiDev merged 4 commits intowolfSSL:masterfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds post-quantum ML-KEM (KEM) and ML-DSA/Dilithium (signature) support to the wolfSSL C# wrapper, including test coverage and updated build/run instructions.
Changes:
- Added C# P/Invoke + managed wrapper APIs for ML-KEM (keygen, encode/decode, encaps/decaps, free) and ML-DSA/Dilithium (keygen, export/import, sign/verify, free).
- Extended the wolfSSL C# wrapper with TLS 1.3
UseKeySharesupport and added aNamedGroupenum covering PQC/hybrid groups. - Added new C# wrapper tests for ML-KEM and ML-DSA, plus updated README/user settings for local-prefix builds and running under mono.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs | Adds NamedGroup and UseKeyShare() wrapper for TLS 1.3 key shares (incl. PQC/hybrid IDs). |
| wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs | Adds ML-KEM and ML-DSA/Dilithium wolfCrypt wrappers and related constants/enums. |
| wrapper/CSharp/wolfCrypt-Test/wolfCrypt-Test.cs | Adds ML-KEM and ML-DSA roundtrip tests (keygen + encode/decode or export/import + encaps/decaps or sign/verify). |
| wrapper/CSharp/user_settings.h | Enables ML-KEM/ML-DSA and required primitives/options in the wrapper build. |
| wrapper/CSharp/README.md | Updates build/install steps to use a local prefix and run tests with LD_LIBRARY_PATH. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10191
No scan targets match the changed files in this PR. Review skipped.
Contributor
|
Please resolve conflict. |
SparkiDev
requested changes
Apr 13, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
SparkiDev
approved these changes
Apr 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds post-quantum ML-KEM and ML-DSA support to the wolfSSL C# wrapper, with
build/test instructions, peer review fixes, and a switch to FIPS 204 compliant
Dilithium APIs.
Changes
MlKemMakeKey,MlKemEncode/DecodePublicKey,MlKemEncode/DecodePrivateKey,MlKemEncapsulate,MlKemDecapsulate,MlKemFreeKey(supportsML_KEM_512,ML_KEM_768,ML_KEM_1024).DilithiumMakeKey,DilithiumExport/Importfor public/private keys,DilithiumSignMsg,DilithiumVerifyMsg,DilithiumFreeKey(supportsML_DSA_44/65/87).wc_dilithium_sign_ctx_msg/wc_dilithium_verify_ctx_msgAPIs (withctx=NULL/ctxLen=0) so the wrapperworks without
WOLFSSL_DILITHIUM_NO_CTX.user_settings.h: enablesHAVE_MLKEM,WOLFSSL_WC_MLKEM,HAVE_DILITHIUM,WOLFSSL_WC_DILITHIUM,WOLFSSL_SHAKE128/256, plusWOLFSSL_DTLS_CH_FRAG(required for PQC + DTLS 1.3).
NamedGroupenum extended withWOLFSSL_ML_KEM_512/768/1024and thehybrid groups (
SECP256R1MLKEM768,X25519MLKEM768,SECP384R1MLKEM1024).mlkem_testandmldsa_testcases inwolfCrypt-Test.cscoveringkeygen, encode/decode (or export/import), and full encap/decap or
sign/verify roundtrips for every parameter set.
README.md: documents a sudo-free build with--prefix=$(pwd)/installand running the test viaLD_LIBRARY_PATH=./install/lib mono wrapper/CSharp/wolfcrypttest.exesomono picks up the freshly-built library instead of any stale system one.
wc_MlKemKey_*Size/wc_MlDsaKey_Get*Lencallers,MEMORY_E(notEXCEPTION_E) on RNG allocfailure in
DilithiumSignMsg, dead null re-checks removed from the Freehelpers, indentation cleanup, consistent
wolfcrypt.prefix inmldsa_test, and removal of the C-onlyWOLF_ENUM_DUMMY_LAST_ELEMENTfrom
NamedGroup.Testing
./autogen.sh && cp wrapper/CSharp/user_settings.h . && ./configure --enable-usersettings --prefix=$(pwd)/install && make && make installcd wrapper/CSharp && mcs wolfCrypt-Test/wolfCrypt-Test.cs wolfSSL_CSharp/{wolfCrypt,wolfSSL,X509}.cs -OUT:wolfcrypttest.exeLD_LIBRARY_PATH=./install/lib mono wrapper/CSharp/wolfcrypttest.exe— alltests pass, including ML-KEM 512/768/1024 and ML-DSA 44/65/87
(signature lengths 2420/3309/4627).
Checklist