Address remaining PR review comments

- tests/api.c:1562: drop the duplicated HAVE_DILITHIUM term in the
  test_dual_alg_ecdsa_mldsa #if condition.
- src/ssl.c: shift the WOLFSSL_PQC_HYBRIDS / WOLFSSL_EXTRA_PQC_HYBRIDS
  sub-blocks in isValidCurveGroup out one indentation level so they
  align with the surrounding ML-KEM standalone block now that the
  outer WOLFSSL_HAVE_MLKEM guard is gone.
- wolfcrypt/src/wc_pkcs11.c: drop the HAVE_PKCS11_MLKEM shim. With
  the WOLFSSL_WC_MLKEM gate retired, the intermediate macro was
  always equivalent to WOLFSSL_HAVE_MLKEM, so switch every
  HAVE_PKCS11_MLKEM reference to WOLFSSL_HAVE_MLKEM and handle
  NO_PKCS11_MLKEM by #undef'ing WOLFSSL_HAVE_MLKEM in-file, matching
  the existing NO_PKCS11_MLDSA pattern.
- wolfssl/wolfcrypt/dilithium.h:71: remove stale 4-space indentation
  left over from the HAVE_DILITHIUM nesting that was dropped.
- wolfssl/wolfcrypt/wc_mlkem.h: move the extern "C" wrapper up so it
  encloses the ML-KEM enum and MlKemKey typedef in addition to the
  function declarations, matching the dilithium.h layout.

Author: claude

src/ssl.c

@@ -3231,18 +3231,18 @@ static int isValidCurveGroup(word16 name)
         case WOLFSSL_ML_KEM_768:
         case WOLFSSL_ML_KEM_1024:
     #endif /* !WOLFSSL_TLS_NO_MLKEM_STANDALONE */
-        #ifdef WOLFSSL_PQC_HYBRIDS
+    #ifdef WOLFSSL_PQC_HYBRIDS
         case WOLFSSL_SECP384R1MLKEM1024:
         case WOLFSSL_X25519MLKEM768:
         case WOLFSSL_SECP256R1MLKEM768:
-        #endif /* WOLFSSL_PQC_HYBRIDS */
-        #ifdef WOLFSSL_EXTRA_PQC_HYBRIDS
+    #endif /* WOLFSSL_PQC_HYBRIDS */
+    #ifdef WOLFSSL_EXTRA_PQC_HYBRIDS
         case WOLFSSL_SECP256R1MLKEM512:
         case WOLFSSL_SECP384R1MLKEM768:
         case WOLFSSL_SECP521R1MLKEM1024:
         case WOLFSSL_X25519MLKEM512:
         case WOLFSSL_X448MLKEM768:
-        #endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */
+    #endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */
 #endif /* !WOLFSSL_NO_ML_KEM */
 #ifdef WOLFSSL_MLKEM_KYBER
         case WOLFSSL_KYBER_LEVEL1:

tests/api.c

@@ -1559,7 +1559,6 @@ static int test_dual_alg_ecdsa_mldsa(void)
     EXPECT_DECLS;
 #if defined(WOLFSSL_DUAL_ALG_CERTS) && defined(HAVE_DILITHIUM) && \
     defined(HAVE_ECC) && !defined(WC_NO_RNG) && \
-    defined(HAVE_DILITHIUM) && \
     !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) && \
     !defined(WOLFSSL_DILITHIUM_NO_SIGN) && \
     !defined(WOLFSSL_DILITHIUM_NO_VERIFY) && !defined(WOLFSSL_SMALL_STACK)

wolfcrypt/src/wc_pkcs11.c

@@ -69,23 +69,20 @@
 #if defined(NO_PKCS11_MLDSA) && defined(HAVE_DILITHIUM)
     #undef HAVE_DILITHIUM
 #endif
-#if defined(WOLFSSL_HAVE_MLKEM)
-    #define HAVE_PKCS11_MLKEM
-#endif
-#if defined(NO_PKCS11_MLKEM) && defined(HAVE_PKCS11_MLKEM)
-    #undef HAVE_PKCS11_MLKEM
+#if defined(NO_PKCS11_MLKEM) && defined(WOLFSSL_HAVE_MLKEM)
+    #undef WOLFSSL_HAVE_MLKEM
 #endif
 
 
 #if (defined(HAVE_ECC) && !defined(NO_PKCS11_ECDH)) || \
-    defined(HAVE_PKCS11_MLKEM)
+    defined(WOLFSSL_HAVE_MLKEM)
 /* Pointer to false required for templates. */
 static CK_BBOOL ckFalse = CK_FALSE;
 #endif
 #if !defined(NO_RSA) || defined(HAVE_ECC) || (!defined(NO_AES) && \
            (defined(HAVE_AESGCM) || defined(HAVE_AES_CBC))) || \
            !defined(NO_HMAC) || defined(HAVE_DILITHIUM) || \
-           defined(HAVE_PKCS11_MLKEM)
+           defined(WOLFSSL_HAVE_MLKEM)
 /* Pointer to true required for templates. */
 static CK_BBOOL ckTrue  = CK_TRUE;
 #endif
@@ -98,7 +95,7 @@ static CK_KEY_TYPE rsaKeyType   = CKK_RSA;
 /* Pointer to EC key type required for templates. */
 static CK_KEY_TYPE ecKeyType    = CKK_EC;
 #endif
-#if defined(HAVE_PKCS11_MLKEM)
+#if defined(WOLFSSL_HAVE_MLKEM)
 /* Pointer to ML-KEM key type required for templates. */
 static CK_KEY_TYPE mlkemKeyType = CKK_ML_KEM;
 #endif
@@ -107,15 +104,15 @@ static CK_KEY_TYPE mlkemKeyType = CKK_ML_KEM;
 static CK_KEY_TYPE mldsaKeyType = CKK_ML_DSA;
 #endif
 #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_DILITHIUM) || \
-    defined(HAVE_PKCS11_MLKEM)
+    defined(WOLFSSL_HAVE_MLKEM)
 /* Pointer to public key class required for templates. */
 static CK_OBJECT_CLASS pubKeyClass     = CKO_PUBLIC_KEY;
 /* Pointer to private key class required for templates. */
 static CK_OBJECT_CLASS privKeyClass    = CKO_PRIVATE_KEY;
 #endif
 #if (!defined(NO_AES) && (defined(HAVE_AESGCM) || defined(HAVE_AES_CBC))) || \
             !defined(NO_HMAC) || (defined(HAVE_ECC) && !defined(NO_PKCS11_ECDH)) || \
-            defined(HAVE_PKCS11_MLKEM)
+            defined(WOLFSSL_HAVE_MLKEM)
 /* Pointer to secret key class required for templates. */
 static CK_OBJECT_CLASS secretKeyClass  = CKO_SECRET_KEY;
 #endif
@@ -1572,7 +1569,7 @@ static int Pkcs11CreateEccPrivateKey(CK_OBJECT_HANDLE* privateKey,
 }
 #endif
 
-#ifdef HAVE_PKCS11_MLKEM
+#ifdef WOLFSSL_HAVE_MLKEM
 /**
  * Create a PKCS#11 object containing the ML-KEM public key data.
  */
@@ -1772,7 +1769,7 @@ static int Pkcs11CreateMlKemPrivateKey(CK_OBJECT_HANDLE* privateKey,
 
     return ret;
 }
-#endif /* HAVE_PKCS11_MLKEM */
+#endif /* WOLFSSL_HAVE_MLKEM */
 
 #ifdef HAVE_DILITHIUM
 /**
@@ -1949,7 +1946,7 @@ static int Pkcs11CreateMldsaPrivateKey(CK_OBJECT_HANDLE* privateKey,
 #if !defined(NO_RSA) || defined(HAVE_ECC) || (!defined(NO_AES) && \
            (defined(HAVE_AESGCM) || defined(HAVE_AES_CBC))) || \
            !defined(NO_HMAC) || defined(HAVE_DILITHIUM) || \
-           defined(HAVE_PKCS11_MLKEM)
+           defined(WOLFSSL_HAVE_MLKEM)
 /**
  * Check if mechanism is available in session on token.
  *
@@ -2191,7 +2188,7 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key)
                 break;
             }
     #endif
-    #ifdef HAVE_PKCS11_MLKEM
+    #ifdef WOLFSSL_HAVE_MLKEM
             case PKCS11_KEY_TYPE_MLKEM: {
                 MlKemKey* mlkemKey = (MlKemKey*)key;
                 CK_MECHANISM_INFO mechInfo;
@@ -2220,7 +2217,7 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key)
                 }
                 break;
             }
-    #endif /* HAVE_PKCS11_MLKEM */
+    #endif /* WOLFSSL_HAVE_MLKEM */
     #if defined(HAVE_DILITHIUM)
             case PKCS11_KEY_TYPE_MLDSA: {
                 MlDsaKey* mldsaKey = (MlDsaKey*) key;
@@ -4243,7 +4240,7 @@ static int Pkcs11EccDeletePrivKey(Pkcs11Session* session, ecc_key* key)
 }
 #endif
 
-#ifdef HAVE_PKCS11_MLKEM
+#ifdef WOLFSSL_HAVE_MLKEM
 /* Finds the first ML-KEM key matching the key type. */
 static int Pkcs11FindMlKemKey(CK_OBJECT_HANDLE* handle,
                               CK_OBJECT_CLASS keyClass,
@@ -4747,7 +4744,7 @@ static int Pkcs11PqcKemDecapsulate(Pkcs11Session* session, wc_CryptoInfo* info)
 
     return ret;
 }
-#endif /* HAVE_PKCS11_MLKEM */
+#endif /* WOLFSSL_HAVE_MLKEM */
 
 #if defined(HAVE_DILITHIUM)
 /**
@@ -6330,7 +6327,7 @@ int wc_Pkcs11_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx)
     if (ret == 0) {
         if (info->algo_type == WC_ALGO_TYPE_PK) {
 #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_DILITHIUM) || \
-    defined(HAVE_PKCS11_MLKEM)
+    defined(WOLFSSL_HAVE_MLKEM)
             switch (info->pk.type) {
     #ifndef NO_RSA
                 case WC_PK_TYPE_RSA:
@@ -6410,7 +6407,7 @@ int wc_Pkcs11_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx)
                     }
                     break;
     #endif
-    #ifdef HAVE_PKCS11_MLKEM
+    #ifdef WOLFSSL_HAVE_MLKEM
                 case WC_PK_TYPE_PQC_KEM_KEYGEN:
                     ret = Pkcs11OpenSession(token, &session, readWrite);
                     if (ret == 0) {
@@ -6469,7 +6466,7 @@ int wc_Pkcs11_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx)
             }
 #else
             ret = NOT_COMPILED_IN;
-#endif /* !NO_RSA || HAVE_ECC || HAVE_DILITHIUM || HAVE_PKCS11_MLKEM */
+#endif /* !NO_RSA || HAVE_ECC || HAVE_DILITHIUM || WOLFSSL_HAVE_MLKEM */
         }
         else if (info->algo_type == WC_ALGO_TYPE_CIPHER) {
     #ifndef NO_AES
@@ -6603,7 +6600,7 @@ int wc_Pkcs11_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx)
             }
             else
     #endif
-    #ifdef HAVE_PKCS11_MLKEM
+    #ifdef WOLFSSL_HAVE_MLKEM
             if (info->free.algo == WC_ALGO_TYPE_PK &&
                 info->free.type == WC_PK_TYPE_PQC_KEM_KEYGEN &&
                 info->free.subType == WC_PQC_KEM_TYPE_KYBER) {

wolfssl/wolfcrypt/dilithium.h

@@ -68,7 +68,7 @@
     #define WOLFSSL_DILITHIUM_CHECK_KEY
 #endif
 
-    #include <wolfssl/wolfcrypt/sha3.h>
+#include <wolfssl/wolfcrypt/sha3.h>
 #ifndef WOLFSSL_DILITHIUM_VERIFY_ONLY
     #include <wolfssl/wolfcrypt/random.h>
 #endif

wolfssl/wolfcrypt/wc_mlkem.h

@@ -32,6 +32,10 @@
 
 #ifdef WOLFSSL_HAVE_MLKEM
 
+#ifdef __cplusplus
+    extern "C" {
+#endif
+
 #ifdef WOLFSSL_KYBER_NO_MAKE_KEY
     #define WOLFSSL_MLKEM_NO_MAKE_KEY
 #endif
@@ -417,10 +421,6 @@ typedef struct MlKemKey {
 } MlKemKey;
 
 
-#ifdef __cplusplus
-    extern "C" {
-#endif
-
 WOLFSSL_API MlKemKey* wc_MlKemKey_New(int type, void* heap, int devId);
 WOLFSSL_API int  wc_MlKemKey_Delete(MlKemKey* key, MlKemKey** key_p);