Improvements to C# PQC

dgarske · dgarske · commit ece3d2e0eb46 · 2026-04-10T12:01:07.000-07:00
diff --git a/wrapper/CSharp/README.md b/wrapper/CSharp/README.md
@@ -40,13 +40,15 @@ apt-get install mono-complete
 
 ### Build wolfSSL and install
 
+Build and install into a local prefix (no sudo required):
+
 ```
 ./autogen.sh
 cp wrapper/CSharp/user_settings.h .
-./configure --enable-usersettings
+./configure --enable-usersettings --prefix=$(pwd)/install
 make
 make check
-sudo make install
+make install
 ```
 
 ### Build and run the wolfCrypt test wrapper
@@ -57,7 +59,13 @@ Compile wolfCrypt test:
 
 ```
 mcs wolfCrypt-Test/wolfCrypt-Test.cs wolfSSL_CSharp/wolfCrypt.cs wolfSSL_CSharp/wolfSSL.cs wolfSSL_CSharp/X509.cs -OUT:wolfcrypttest.exe
-mono wolfcrypttest.exe
+```
+
+Run from the wolfSSL root directory using `LD_LIBRARY_PATH` so mono loads
+the freshly-built library from the local install prefix:
+
+```
+LD_LIBRARY_PATH=./install/lib mono wrapper/CSharp/wolfcrypttest.exe
 ```
 
 ### Build and run the wolfSSL client/server test
diff --git a/wrapper/CSharp/user_settings.h b/wrapper/CSharp/user_settings.h
@@ -90,6 +90,7 @@
 #define HAVE_MLKEM
 #define WOLFSSL_WC_MLKEM
 #define WOLFSSL_HAVE_MLKEM
+/* Required for PQC with DTLS 1.3 (auto-enabled in settings.h, explicit for clarity) */
 #define WOLFSSL_DTLS_CH_FRAG
 #define HAVE_DILITHIUM
 #define WOLFSSL_WC_DILITHIUM
diff --git a/wrapper/CSharp/wolfCrypt-Test/wolfCrypt-Test.cs b/wrapper/CSharp/wolfCrypt-Test/wolfCrypt-Test.cs
@@ -871,15 +871,15 @@ private static void mldsa_test(wolfcrypt.MlDsaLevels level)
             if (ret == 0)
             {
                 Console.WriteLine("Testing ML-DSA Key Export...");
-                ret = DilithiumExportPrivateKey(key, out privateKey);
+                ret = wolfcrypt.DilithiumExportPrivateKey(key, out privateKey);
                 if (ret != 0)
                 {
                     Console.Error.WriteLine($"Failed to export private key. Error code: {ret}");
                 }
             }
             if (ret == 0)
             {
-                ret = DilithiumExportPublicKey(key, out publicKey);
+                ret = wolfcrypt.DilithiumExportPublicKey(key, out publicKey);
                 if (ret != 0)
                 {
                     Console.Error.WriteLine($"Failed to export public key. Error code: {ret}");
@@ -894,15 +894,15 @@ private static void mldsa_test(wolfcrypt.MlDsaLevels level)
             if (ret == 0)
             {
                 Console.WriteLine("Testing ML-DSA Key Import...");
-                ret = DilithiumImportPrivateKey(privateKey, key);
+                ret = wolfcrypt.DilithiumImportPrivateKey(privateKey, key);
                 if (ret != 0)
                 {
                     Console.Error.WriteLine($"Failed to import private key. Error code: {ret}");
                 }
             }
             if (ret == 0)
             {
-                ret = DilithiumImportPublicKey(publicKey, key);
+                ret = wolfcrypt.DilithiumImportPublicKey(publicKey, key);
                 if (ret != 0)
                 {
                     Console.Error.WriteLine($"Failed to import public key. Error code: {ret}");
diff --git a/wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs b/wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs
@@ -528,9 +528,9 @@ public class wolfcrypt
         [DllImport(wolfssl_dll)]
         private static extern int wc_dilithium_import_public(byte[] input, uint inputLen, IntPtr key);
         [DllImport(wolfssl_dll)]
-        private static extern int wc_dilithium_sign_msg(byte[] msg, uint msgLen, byte[] sig, ref uint sigLen, IntPtr key, IntPtr rng);
+        private static extern int wc_dilithium_sign_ctx_msg(byte[] ctx, byte ctxLen, byte[] msg, uint msgLen, byte[] sig, ref uint sigLen, IntPtr key, IntPtr rng);
         [DllImport(wolfssl_dll)]
-        private static extern int wc_dilithium_verify_msg(byte[] sig, uint sigLen, byte[] msg, uint msgLen, ref int res, IntPtr key);
+        private static extern int wc_dilithium_verify_ctx_msg(byte[] sig, uint sigLen, byte[] ctx, byte ctxLen, byte[] msg, uint msgLen, ref int res, IntPtr key);
         [DllImport(wolfssl_dll)]
         private static extern int wc_MlDsaKey_GetPrivLen(IntPtr key, ref int len);
         [DllImport(wolfssl_dll)]
@@ -559,9 +559,9 @@ public class wolfcrypt
         [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
         private static extern int wc_dilithium_import_public(byte[] input, uint inputLen, IntPtr key);
         [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
-        private static extern int wc_dilithium_sign_msg(byte[] msg, uint msgLen, byte[] sig, ref uint sigLen, IntPtr key, IntPtr rng);
+        private static extern int wc_dilithium_sign_ctx_msg(byte[] ctx, byte ctxLen, byte[] msg, uint msgLen, byte[] sig, ref uint sigLen, IntPtr key, IntPtr rng);
         [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
-        private static extern int wc_dilithium_verify_msg(byte[] sig, uint sigLen, byte[] msg, uint msgLen, ref int res, IntPtr key);
+        private static extern int wc_dilithium_verify_ctx_msg(byte[] sig, uint sigLen, byte[] ctx, byte ctxLen, byte[] msg, uint msgLen, ref int res, IntPtr key);
         [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
         private static extern int wc_MlDsaKey_GetPrivLen(IntPtr key, ref int len);
         [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
@@ -2933,18 +2933,15 @@ public static IntPtr MlKemMakeKey(MlKemTypes type, IntPtr heap, int devId)
         /// <returns>0 on success, negative value on error.</returns>
         public static int MlKemFreeKey(ref IntPtr key)
         {
-            int ret = 0;
+            int ret;
 
             if (key == IntPtr.Zero)
             {
                 return BAD_FUNC_ARG;
             }
 
-            if (key != IntPtr.Zero)
-            {
-                ret = wc_MlKemKey_Delete(key, IntPtr.Zero);
-                key = IntPtr.Zero;
-            }
+            ret = wc_MlKemKey_Delete(key, IntPtr.Zero);
+            key = IntPtr.Zero;
             return ret;
         }
 
@@ -2968,10 +2965,10 @@ public static int MlKemEncodePublicKey(IntPtr key, out byte[] publicKey)
             try
             {
                 ret = wc_MlKemKey_PublicKeySize(key, ref pubLen);
-                if (ret !=0 || pubLen == 0)
+                if (ret != 0 || pubLen == 0)
                 {
                     log(ERROR_LOG, "Failed to get MlKem public key length. Error code: " + ret);
-                    return ret;
+                    return (ret != 0) ? ret : BAD_FUNC_ARG;
                 }
                 if (pubLen > int.MaxValue)
                 {
@@ -3017,10 +3014,10 @@ public static int MlKemEncodePrivateKey(IntPtr key, out byte[] privateKey)
             try
             {
                 ret = wc_MlKemKey_PrivateKeySize(key, ref privLen);
-                if (ret !=0 || privLen == 0)
+                if (ret != 0 || privLen == 0)
                 {
                     log(ERROR_LOG, "Failed to get MlKem private key length. Error code: " + ret);
-                    return ret;
+                    return (ret != 0) ? ret : BAD_FUNC_ARG;
                 }
                 if (privLen > int.MaxValue)
                 {
@@ -3074,14 +3071,14 @@ public static int MlKemDecodePublicKey(IntPtr key, byte[] publicKey)
                 if (ret != 0 || pubLen == 0)
                 {
                     log(ERROR_LOG, "Failed to get MlKem public key length. Error code: " + ret);
-                    return ret;
+                    return (ret != 0) ? ret : BAD_FUNC_ARG;
                 }
                 if ((uint)publicKey.Length != pubLen)
-                 {
-                     log(ERROR_LOG, "MlKem public key buffer length mismatch. Expected: " +
-                         pubLen + ", actual: " + publicKey.Length);
-                     return BUFFER_E;
-                 }
+                {
+                    log(ERROR_LOG, "MlKem public key buffer length mismatch. Expected: " +
+                        pubLen + ", actual: " + publicKey.Length);
+                    return BUFFER_E;
+                }
 
                 ret = wc_MlKemKey_DecodePublicKey(key, publicKey, pubLen);
                 if (ret != 0)
@@ -3123,12 +3120,12 @@ public static int MlKemDecodePrivateKey(IntPtr key, byte[] privateKey)
             try
             {
                 ret = wc_MlKemKey_PrivateKeySize(key, ref privLen);
-                if (privLen == 0)
+                if (ret != 0 || privLen == 0)
                 {
                     log(ERROR_LOG, "Failed to get MlKem private key length. Error code: " + ret);
-                    return ret;
+                    return (ret != 0) ? ret : BAD_FUNC_ARG;
                 }
-                
+
                 if ((uint)privateKey.Length != privLen)
                 {
                     log(ERROR_LOG, "MlKem private key buffer length mismatch. Required: " + privLen +
@@ -3367,18 +3364,15 @@ public static IntPtr DilithiumMakeKey(IntPtr heap, int devId, MlDsaLevels level)
         /// <returns>0 on success, negative value on error.</returns>
         public static int DilithiumFreeKey(ref IntPtr key)
         {
-            int ret = 0;
+            int ret;
 
             if (key == IntPtr.Zero)
             {
                 return BAD_FUNC_ARG;
             }
 
-            if (key != IntPtr.Zero)
-            {
-                ret = wc_dilithium_delete(key, IntPtr.Zero);
-                key = IntPtr.Zero;
-            }
+            ret = wc_dilithium_delete(key, IntPtr.Zero);
+            key = IntPtr.Zero;
             return ret;
         }
 
@@ -3451,10 +3445,10 @@ public static int DilithiumExportPrivateKey(IntPtr key, out byte[] privateKey)
             try
             {
                 ret = wc_MlDsaKey_GetPrivLen(key, ref privLen);
-                if (privLen <= 0)
+                if (ret != 0 || privLen <= 0)
                 {
                     log(ERROR_LOG, "Failed to get Dilithium private key length. Error code: " + ret);
-                    return ret;
+                    return (ret != 0) ? ret : BAD_FUNC_ARG;
                 }
 
                 privateKey = new byte[privLen];
@@ -3501,10 +3495,10 @@ public static int DilithiumExportPublicKey(IntPtr key, out byte[] publicKey)
             try
             {
                 ret = wc_MlDsaKey_GetPubLen(key, ref pubLen);
-                if (pubLen <= 0)
+                if (ret != 0 || pubLen <= 0)
                 {
                     log(ERROR_LOG, "Failed to get Dilithium public key length. Error code: " + ret);
-                    return ret;
+                    return (ret != 0) ? ret : BAD_FUNC_ARG;
                 }
 
                 publicKey = new byte[pubLen];
@@ -3553,10 +3547,10 @@ public static int DilithiumSignMsg(IntPtr key, byte[] msg, out byte[] sig)
             try
             {
                 ret = wc_MlDsaKey_GetSigLen(key, ref sigLen);
-                if (sigLen <= 0)
+                if (ret != 0 || sigLen <= 0)
                 {
                     log(ERROR_LOG, "Failed to get Dilithium signature length. Error code: " + ret);
-                    return ret;
+                    return (ret != 0) ? ret : BAD_FUNC_ARG;
                 }
 
                 sig = new byte[sigLen];
@@ -3565,9 +3559,10 @@ public static int DilithiumSignMsg(IntPtr key, byte[] msg, out byte[] sig)
                 if (rng == IntPtr.Zero)
                 {
                     log(ERROR_LOG, "Failed to create RNG for Dilithium signing.");
-                    return EXCEPTION_E;
+                    return MEMORY_E;
                 }
-                ret = wc_dilithium_sign_msg(msg, (uint)msg.Length, sig, ref outLen, key, rng);
+                /* FIPS 204 sign with empty context (ctx=null, ctxLen=0). */
+                ret = wc_dilithium_sign_ctx_msg(null, 0, msg, (uint)msg.Length, sig, ref outLen, key, rng);
                 if (ret != 0)
                 {
                     log(ERROR_LOG, "Failed to sign message with Dilithium key. Error code: " + ret);
@@ -3611,7 +3606,8 @@ public static int DilithiumVerifyMsg(IntPtr key, byte[] msg, byte[] sig)
 
             try
             {
-                ret = wc_dilithium_verify_msg(sig, (uint)sig.Length, msg, (uint)msg.Length, ref res, key);
+                /* FIPS 204 verify with empty context (ctx=null, ctxLen=0). */
+                ret = wc_dilithium_verify_ctx_msg(sig, (uint)sig.Length, null, 0, msg, (uint)msg.Length, ref res, key);
                 if (ret != 0)
                 {
                     log(ERROR_LOG, "Failed to verify message with Dilithium key. Error code: " + ret);
diff --git a/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs
@@ -795,8 +795,6 @@ public enum NamedGroup
             WOLFSSL_SECP521R1MLKEM1024    = 12109,
             WOLFSSL_X25519MLKEM512        = 12214,
             WOLFSSL_X448MLKEM768          = 12215,
-
-            WOLF_ENUM_DUMMY_LAST_ELEMENT = 0
         }
 
 

Original file line number	Diff line number	Diff line change
`@@ -871,15 +871,15 @@ private static void mldsa_test(wolfcrypt.MlDsaLevels level)`
`871`	`871`	`if (ret == 0)`
`872`	`872`	`{`
`873`	`873`	`Console.WriteLine("Testing ML-DSA Key Export...");`
`874`		`- ret = DilithiumExportPrivateKey(key, out privateKey);`
	`874`	`+ ret = wolfcrypt.DilithiumExportPrivateKey(key, out privateKey);`
`875`	`875`	`if (ret != 0)`
`876`	`876`	`{`
`877`	`877`	`Console.Error.WriteLine($"Failed to export private key. Error code: {ret}");`
`878`	`878`	`}`
`879`	`879`	`}`
`880`	`880`	`if (ret == 0)`
`881`	`881`	`{`
`882`		`- ret = DilithiumExportPublicKey(key, out publicKey);`
	`882`	`+ ret = wolfcrypt.DilithiumExportPublicKey(key, out publicKey);`
`883`	`883`	`if (ret != 0)`
`884`	`884`	`{`
`885`	`885`	`Console.Error.WriteLine($"Failed to export public key. Error code: {ret}");`
`@@ -894,15 +894,15 @@ private static void mldsa_test(wolfcrypt.MlDsaLevels level)`
`894`	`894`	`if (ret == 0)`
`895`	`895`	`{`
`896`	`896`	`Console.WriteLine("Testing ML-DSA Key Import...");`
`897`		`- ret = DilithiumImportPrivateKey(privateKey, key);`
	`897`	`+ ret = wolfcrypt.DilithiumImportPrivateKey(privateKey, key);`
`898`	`898`	`if (ret != 0)`
`899`	`899`	`{`
`900`	`900`	`Console.Error.WriteLine($"Failed to import private key. Error code: {ret}");`
`901`	`901`	`}`
`902`	`902`	`}`
`903`	`903`	`if (ret == 0)`
`904`	`904`	`{`
`905`		`- ret = DilithiumImportPublicKey(publicKey, key);`
	`905`	`+ ret = wolfcrypt.DilithiumImportPublicKey(publicKey, key);`
`906`	`906`	`if (ret != 0)`
`907`	`907`	`{`
`908`	`908`	`Console.Error.WriteLine($"Failed to import public key. Error code: {ret}");`
Original file line number	Diff line number	Diff line change
`@@ -528,9 +528,9 @@ public class wolfcrypt`
`528`	`528`	`[DllImport(wolfssl_dll)]`
`529`	`529`	`private static extern int wc_dilithium_import_public(byte[] input, uint inputLen, IntPtr key);`
`530`	`530`	`[DllImport(wolfssl_dll)]`
`531`		`- private static extern int wc_dilithium_sign_msg(byte[] msg, uint msgLen, byte[] sig, ref uint sigLen, IntPtr key, IntPtr rng);`
	`531`	`+ private static extern int wc_dilithium_sign_ctx_msg(byte[] ctx, byte ctxLen, byte[] msg, uint msgLen, byte[] sig, ref uint sigLen, IntPtr key, IntPtr rng);`
`532`	`532`	`[DllImport(wolfssl_dll)]`
`533`		`- private static extern int wc_dilithium_verify_msg(byte[] sig, uint sigLen, byte[] msg, uint msgLen, ref int res, IntPtr key);`
	`533`	`+ private static extern int wc_dilithium_verify_ctx_msg(byte[] sig, uint sigLen, byte[] ctx, byte ctxLen, byte[] msg, uint msgLen, ref int res, IntPtr key);`
`534`	`534`	`[DllImport(wolfssl_dll)]`
`535`	`535`	`private static extern int wc_MlDsaKey_GetPrivLen(IntPtr key, ref int len);`
`536`	`536`	`[DllImport(wolfssl_dll)]`
`@@ -559,9 +559,9 @@ public class wolfcrypt`
`559`	`559`	`[DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]`
`560`	`560`	`private static extern int wc_dilithium_import_public(byte[] input, uint inputLen, IntPtr key);`
`561`	`561`	`[DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]`
`562`		`- private static extern int wc_dilithium_sign_msg(byte[] msg, uint msgLen, byte[] sig, ref uint sigLen, IntPtr key, IntPtr rng);`
	`562`	`+ private static extern int wc_dilithium_sign_ctx_msg(byte[] ctx, byte ctxLen, byte[] msg, uint msgLen, byte[] sig, ref uint sigLen, IntPtr key, IntPtr rng);`
`563`	`563`	`[DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]`
`564`		`- private static extern int wc_dilithium_verify_msg(byte[] sig, uint sigLen, byte[] msg, uint msgLen, ref int res, IntPtr key);`
	`564`	`+ private static extern int wc_dilithium_verify_ctx_msg(byte[] sig, uint sigLen, byte[] ctx, byte ctxLen, byte[] msg, uint msgLen, ref int res, IntPtr key);`
`565`	`565`	`[DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]`
`566`	`566`	`private static extern int wc_MlDsaKey_GetPrivLen(IntPtr key, ref int len);`
`567`	`567`	`[DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]`
`@@ -2933,18 +2933,15 @@ public static IntPtr MlKemMakeKey(MlKemTypes type, IntPtr heap, int devId)`
`2933`	`2933`	`/// <returns>0 on success, negative value on error.</returns>`
`2934`	`2934`	`public static int MlKemFreeKey(ref IntPtr key)`
`2935`	`2935`	`{`
`2936`		`- int ret = 0;`
	`2936`	`+ int ret;`
`2937`	`2937`
`2938`	`2938`	`if (key == IntPtr.Zero)`
`2939`	`2939`	`{`
`2940`	`2940`	`return BAD_FUNC_ARG;`
`2941`	`2941`	`}`
`2942`	`2942`
`2943`		`- if (key != IntPtr.Zero)`
`2944`		`- {`
`2945`		`- ret = wc_MlKemKey_Delete(key, IntPtr.Zero);`
`2946`		`- key = IntPtr.Zero;`
`2947`		`- }`
	`2943`	`+ ret = wc_MlKemKey_Delete(key, IntPtr.Zero);`
	`2944`	`+ key = IntPtr.Zero;`
`2948`	`2945`	`return ret;`
`2949`	`2946`	`}`
`2950`	`2947`
`@@ -2968,10 +2965,10 @@ public static int MlKemEncodePublicKey(IntPtr key, out byte[] publicKey)`
`2968`	`2965`	`try`
`2969`	`2966`	`{`
`2970`	`2967`	`ret = wc_MlKemKey_PublicKeySize(key, ref pubLen);`
`2971`		`- if (ret !=0 \|\| pubLen == 0)`
	`2968`	`+ if (ret != 0 \|\| pubLen == 0)`
`2972`	`2969`	`{`
`2973`	`2970`	`log(ERROR_LOG, "Failed to get MlKem public key length. Error code: " + ret);`
`2974`		`- return ret;`
	`2971`	`+ return (ret != 0) ? ret : BAD_FUNC_ARG;`
`2975`	`2972`	`}`
`2976`	`2973`	`if (pubLen > int.MaxValue)`
`2977`	`2974`	`{`
`@@ -3017,10 +3014,10 @@ public static int MlKemEncodePrivateKey(IntPtr key, out byte[] privateKey)`
`3017`	`3014`	`try`
`3018`	`3015`	`{`
`3019`	`3016`	`ret = wc_MlKemKey_PrivateKeySize(key, ref privLen);`
`3020`		`- if (ret !=0 \|\| privLen == 0)`
	`3017`	`+ if (ret != 0 \|\| privLen == 0)`
`3021`	`3018`	`{`
`3022`	`3019`	`log(ERROR_LOG, "Failed to get MlKem private key length. Error code: " + ret);`
`3023`		`- return ret;`
	`3020`	`+ return (ret != 0) ? ret : BAD_FUNC_ARG;`
`3024`	`3021`	`}`
`3025`	`3022`	`if (privLen > int.MaxValue)`
`3026`	`3023`	`{`
`@@ -3074,14 +3071,14 @@ public static int MlKemDecodePublicKey(IntPtr key, byte[] publicKey)`
`3074`	`3071`	`if (ret != 0 \|\| pubLen == 0)`
`3075`	`3072`	`{`
`3076`	`3073`	`log(ERROR_LOG, "Failed to get MlKem public key length. Error code: " + ret);`
`3077`		`- return ret;`
	`3074`	`+ return (ret != 0) ? ret : BAD_FUNC_ARG;`
`3078`	`3075`	`}`
`3079`	`3076`	`if ((uint)publicKey.Length != pubLen)`
`3080`		`- {`
`3081`		`- log(ERROR_LOG, "MlKem public key buffer length mismatch. Expected: " +`
`3082`		`- pubLen + ", actual: " + publicKey.Length);`
`3083`		`- return BUFFER_E;`
`3084`		`- }`
	`3077`	`+ {`
	`3078`	`+ log(ERROR_LOG, "MlKem public key buffer length mismatch. Expected: " +`
	`3079`	`+ pubLen + ", actual: " + publicKey.Length);`
	`3080`	`+ return BUFFER_E;`
	`3081`	`+ }`
`3085`	`3082`
`3086`	`3083`	`ret = wc_MlKemKey_DecodePublicKey(key, publicKey, pubLen);`
`3087`	`3084`	`if (ret != 0)`
`@@ -3123,12 +3120,12 @@ public static int MlKemDecodePrivateKey(IntPtr key, byte[] privateKey)`
`3123`	`3120`	`try`
`3124`	`3121`	`{`
`3125`	`3122`	`ret = wc_MlKemKey_PrivateKeySize(key, ref privLen);`
`3126`		`- if (privLen == 0)`
	`3123`	`+ if (ret != 0 \|\| privLen == 0)`
`3127`	`3124`	`{`
`3128`	`3125`	`log(ERROR_LOG, "Failed to get MlKem private key length. Error code: " + ret);`
`3129`		`- return ret;`
	`3126`	`+ return (ret != 0) ? ret : BAD_FUNC_ARG;`
`3130`	`3127`	`}`
`3131`		`-`
	`3128`	`+`
`3132`	`3129`	`if ((uint)privateKey.Length != privLen)`
`3133`	`3130`	`{`
`3134`	`3131`	`log(ERROR_LOG, "MlKem private key buffer length mismatch. Required: " + privLen +`
`@@ -3367,18 +3364,15 @@ public static IntPtr DilithiumMakeKey(IntPtr heap, int devId, MlDsaLevels level)`
`3367`	`3364`	`/// <returns>0 on success, negative value on error.</returns>`
`3368`	`3365`	`public static int DilithiumFreeKey(ref IntPtr key)`
`3369`	`3366`	`{`
`3370`		`- int ret = 0;`
	`3367`	`+ int ret;`
`3371`	`3368`
`3372`	`3369`	`if (key == IntPtr.Zero)`
`3373`	`3370`	`{`
`3374`	`3371`	`return BAD_FUNC_ARG;`
`3375`	`3372`	`}`
`3376`	`3373`
`3377`		`- if (key != IntPtr.Zero)`
`3378`		`- {`
`3379`		`- ret = wc_dilithium_delete(key, IntPtr.Zero);`
`3380`		`- key = IntPtr.Zero;`
`3381`		`- }`
	`3374`	`+ ret = wc_dilithium_delete(key, IntPtr.Zero);`
	`3375`	`+ key = IntPtr.Zero;`
`3382`	`3376`	`return ret;`
`3383`	`3377`	`}`
`3384`	`3378`
`@@ -3451,10 +3445,10 @@ public static int DilithiumExportPrivateKey(IntPtr key, out byte[] privateKey)`
`3451`	`3445`	`try`
`3452`	`3446`	`{`
`3453`	`3447`	`ret = wc_MlDsaKey_GetPrivLen(key, ref privLen);`
`3454`		`- if (privLen <= 0)`
	`3448`	`+ if (ret != 0 \|\| privLen <= 0)`
`3455`	`3449`	`{`
`3456`	`3450`	`log(ERROR_LOG, "Failed to get Dilithium private key length. Error code: " + ret);`
`3457`		`- return ret;`
	`3451`	`+ return (ret != 0) ? ret : BAD_FUNC_ARG;`
`3458`	`3452`	`}`
`3459`	`3453`
`3460`	`3454`	`privateKey = new byte[privLen];`
`@@ -3501,10 +3495,10 @@ public static int DilithiumExportPublicKey(IntPtr key, out byte[] publicKey)`
`3501`	`3495`	`try`
`3502`	`3496`	`{`
`3503`	`3497`	`ret = wc_MlDsaKey_GetPubLen(key, ref pubLen);`
`3504`		`- if (pubLen <= 0)`
	`3498`	`+ if (ret != 0 \|\| pubLen <= 0)`
`3505`	`3499`	`{`
`3506`	`3500`	`log(ERROR_LOG, "Failed to get Dilithium public key length. Error code: " + ret);`
`3507`		`- return ret;`
	`3501`	`+ return (ret != 0) ? ret : BAD_FUNC_ARG;`
`3508`	`3502`	`}`
`3509`	`3503`
`3510`	`3504`	`publicKey = new byte[pubLen];`
`@@ -3553,10 +3547,10 @@ public static int DilithiumSignMsg(IntPtr key, byte[] msg, out byte[] sig)`
`3553`	`3547`	`try`
`3554`	`3548`	`{`
`3555`	`3549`	`ret = wc_MlDsaKey_GetSigLen(key, ref sigLen);`
`3556`		`- if (sigLen <= 0)`
	`3550`	`+ if (ret != 0 \|\| sigLen <= 0)`
`3557`	`3551`	`{`
`3558`	`3552`	`log(ERROR_LOG, "Failed to get Dilithium signature length. Error code: " + ret);`
`3559`		`- return ret;`
	`3553`	`+ return (ret != 0) ? ret : BAD_FUNC_ARG;`
`3560`	`3554`	`}`
`3561`	`3555`
`3562`	`3556`	`sig = new byte[sigLen];`
`@@ -3565,9 +3559,10 @@ public static int DilithiumSignMsg(IntPtr key, byte[] msg, out byte[] sig)`
`3565`	`3559`	`if (rng == IntPtr.Zero)`
`3566`	`3560`	`{`
`3567`	`3561`	`log(ERROR_LOG, "Failed to create RNG for Dilithium signing.");`
`3568`		`- return EXCEPTION_E;`
	`3562`	`+ return MEMORY_E;`
`3569`	`3563`	`}`
`3570`		`- ret = wc_dilithium_sign_msg(msg, (uint)msg.Length, sig, ref outLen, key, rng);`
	`3564`	`+ /* FIPS 204 sign with empty context (ctx=null, ctxLen=0). */`
	`3565`	`+ ret = wc_dilithium_sign_ctx_msg(null, 0, msg, (uint)msg.Length, sig, ref outLen, key, rng);`
`3571`	`3566`	`if (ret != 0)`
`3572`	`3567`	`{`
`3573`	`3568`	`log(ERROR_LOG, "Failed to sign message with Dilithium key. Error code: " + ret);`
`@@ -3611,7 +3606,8 @@ public static int DilithiumVerifyMsg(IntPtr key, byte[] msg, byte[] sig)`
`3611`	`3606`
`3612`	`3607`	`try`
`3613`	`3608`	`{`
`3614`		`- ret = wc_dilithium_verify_msg(sig, (uint)sig.Length, msg, (uint)msg.Length, ref res, key);`
	`3609`	`+ /* FIPS 204 verify with empty context (ctx=null, ctxLen=0). */`
	`3610`	`+ ret = wc_dilithium_verify_ctx_msg(sig, (uint)sig.Length, null, 0, msg, (uint)msg.Length, ref res, key);`
`3615`	`3611`	`if (ret != 0)`
`3616`	`3612`	`{`
`3617`	`3613`	`log(ERROR_LOG, "Failed to verify message with Dilithium key. Error code: " + ret);`
Original file line number	Diff line number	Diff line change
`@@ -795,8 +795,6 @@ public enum NamedGroup`
`795`	`795`	`WOLFSSL_SECP521R1MLKEM1024 = 12109,`
`796`	`796`	`WOLFSSL_X25519MLKEM512 = 12214,`
`797`	`797`	`WOLFSSL_X448MLKEM768 = 12215,`
`798`		`-`
`799`		`- WOLF_ENUM_DUMMY_LAST_ELEMENT = 0`
`800`	`798`	`}`
`801`	`799`
`802`	`800`