Add support for LMS and XMSS by padelsbach · Pull Request #352 · wolfSSL/wolfHSM

padelsbach · 2026-05-04T20:35:03Z

Requires wolfSSL/wolfssl#10380 to be merged first (done).

Adds support for "stateful" PQC using crypto callbacks added to wolfssl.

padelsbach · 2026-05-18T22:38:46Z

wolfSSL/wolfssl#10488 is required for CI to pass

wolfSSL-Fenrir-bot

Fenrir Automated Review — PR #352

Scan targets checked: wolfhsm-core-bugs, wolfhsm-crypto-bugs, wolfhsm-src

Findings: 3
3 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

wolfSSL-Fenrir-bot

Fenrir Automated Review — PR #352

Scan targets checked: wolfhsm-core-bugs, wolfhsm-crypto-bugs, wolfhsm-src

Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

wolfSSL-Fenrir-bot

Fenrir Automated Review — PR #352

Scan targets checked: wolfhsm-core-bugs, wolfhsm-crypto-bugs, wolfhsm-src

Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

wolfSSL-Fenrir-bot

Fenrir Automated Review — PR #352

Scan targets checked: wolfhsm-core-bugs, wolfhsm-crypto-bugs, wolfhsm-src

No new issues found in the changed files. ✅

…LMS and WH_KEY_ALGO_XMSS

…sImportPubKey

…comments

padelsbach · 2026-06-18T05:24:28Z

Bunch of updates pushed to address the big items 1-5 in your general comment above. @Frauschi, would you mind reviewing again to see if we are aligned? I'll continue to clean up the smaller items in the various comments.

Frauschi · 2026-06-18T15:04:48Z

@padelsbach I reviewed your changes and resolved the comments that are already handled. I think most of the bigger issues are already handled, with only the big key gen state handling and the structure for the in memory layout still open.

…r reserved field being 0

…enabled

…erializeKey

… wolfHSM

padelsbach · 2026-06-19T07:14:38Z

@Frauschi, another big update. Please re-review if you have a chance

Frauschi

Mostly LGTM now, thanks for fixing all the issues!

Two things are still open:

The key gen handling with the write-callback, see my new comment in the thread.
Some places in the code need more gating for VERIFY_ONLY, mostly in wh_crypto.c.

padelsbach · 2026-06-19T23:26:44Z

@Frauschi, another update addressing those last two items.

… test/

padelsbach force-pushed the lms-xmss branch 2 times, most recently from e01c4e8 to 322c2ba Compare May 11, 2026 16:52

padelsbach force-pushed the lms-xmss branch 2 times, most recently from d524cee to c9dad02 Compare May 18, 2026 21:59

bigbrett assigned padelsbach May 18, 2026

padelsbach force-pushed the lms-xmss branch 2 times, most recently from d104594 to 2c5db59 Compare May 19, 2026 18:36

padelsbach assigned wolfSSL-Bot and unassigned padelsbach May 19, 2026

padelsbach marked this pull request as ready for review May 19, 2026 18:50

padelsbach requested a review from wolfSSL-Fenrir-bot May 19, 2026 18:50

wolfSSL-Fenrir-bot reviewed May 19, 2026

View reviewed changes

Comment thread src/wh_server_crypto.c Outdated

Comment thread src/wh_server_crypto.c Outdated

Comment thread src/wh_server_crypto.c Outdated

padelsbach force-pushed the lms-xmss branch from 2c5db59 to 070f1f5 Compare May 21, 2026 21:56