wolfSSL · aidangarske · May 23, 2026 · May 23, 2026 · May 23, 2026 · May 23, 2026
diff --git a/.github/workflows/wolfssl-versions-pqc.yml b/.github/workflows/wolfssl-versions-pqc.yml
@@ -0,0 +1,92 @@
+name: wolfSSL Versions (PQC)
+
+# Backward-compatibility matrix for ML-KEM and ML-DSA.
+#
+# Three rows:
+#   - pre-PQC wolfSSL (e.g. v5.7.0-stable):
+#       wolfSSL is built without --enable-mlkem/--enable-dilithium. wolfProvider
+#       auto-detects via settings.h that PQC macros are undefined; the PQC
+#       source files compile to no-ops; the ML-KEM/ML-DSA tests are skipped.
+#       Proves the no-symbol path still builds and runs cleanly.
+#   - latest stable wolfSSL with PQC enabled:
+#       --enable-pqc is passed to scripts/build-wolfprovider.sh, which adds
+#       --enable-mlkem --enable-dilithium --enable-experimental to wolfSSL.
+#       wolfProvider's settings.h picks up WP_HAVE_MLKEM and WP_HAVE_MLDSA;
+#       the PQC tests run and must pass.
+#   - master wolfSSL with PQC enabled:
+#       Same as above against the development tip.
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  pqc_version_test:
+    name: ${{ matrix.name }}
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: pre-PQC (v5.7.0-stable, PQC disabled)
+            wolfssl_ref: v5.7.0-stable
+            pqc: false
+          - name: latest stable (v5.8.4-stable, PQC enabled)
+            wolfssl_ref: v5.8.4-stable
+            pqc: true
+          - name: master (PQC enabled)
+            wolfssl_ref: master
+            pqc: true
+    steps:
+      - name: Checkout wolfProvider
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Build and test wolfProvider (PQC=${{ matrix.pqc }})
+        run: |
+          if [ "${{ matrix.pqc }}" = "true" ]; then
+            WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \
+              ./scripts/build-wolfprovider.sh --enable-pqc
+          else
+            WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \
+              ./scripts/build-wolfprovider.sh
+          fi
+
+      - name: Confirm PQC tests present (or absent) as expected
+        run: |
+          if [ "${{ matrix.pqc }}" = "true" ]; then
+            ./test/unit.test --list | grep -q 'test_mlkem_keygen' \
+              || { echo 'ERROR: PQC tests missing in PQC-enabled build'; exit 1; }
+            ./test/unit.test --list | grep -q 'test_mldsa_sign_verify' \
+              || { echo 'ERROR: ML-DSA tests missing in PQC-enabled build'; exit 1; }
+          else
+            if ./test/unit.test --list | grep -qE 'test_mlkem|test_mldsa'; then
+              echo 'ERROR: PQC tests present in pre-PQC build (should be skipped)'
+              exit 1
+            fi
+          fi
+
+      # Three-way interop: wolfProvider <-> OpenSSL default <-> wolfSSL direct.
+      # Proves wolfProvider's raw-key, ciphertext, and signature bytes are
+      # FIPS 203/204 standards-compliant by cross-checking against two
+      # independent reference implementations.
+      - name: Three-way PQC interop validation
+        if: matrix.pqc == true
+        run: |
+          LD_LIBRARY_PATH="$(pwd)/wolfssl-install/lib:$(pwd)/openssl-install/lib" \
+            ./test/pqc_interop.test
+
+      - name: Print errors on failure
+        if: ${{ failure() }}
+        run: |
+          if [ -f test-suite.log ]; then
+            cat test-suite.log
+          fi
diff --git a/include/wolfprovider/alg_funcs.h b/include/wolfprovider/alg_funcs.h
@@ -170,6 +170,16 @@ typedef void (*DFUNC)(void);
 #define WP_NAMES_DH             "DH"
 #define WP_NAMES_DHX            "DHX"
 
+/* ML-KEM names (NIST FIPS 203). */
+#define WP_NAMES_ML_KEM_512     "ML-KEM-512"
+#define WP_NAMES_ML_KEM_768     "ML-KEM-768"
+#define WP_NAMES_ML_KEM_1024    "ML-KEM-1024"
+
+/* ML-DSA names (NIST FIPS 204). */
+#define WP_NAMES_ML_DSA_44      "ML-DSA-44"
+#define WP_NAMES_ML_DSA_65      "ML-DSA-65"
+#define WP_NAMES_ML_DSA_87      "ML-DSA-87"
+
 /* DRBG names. */
 #define WP_NAMES_SEED_SRC       "SEED-SRC"
 #define WP_NAMES_CTR_DRBG       "CTR-DRBG"
@@ -222,6 +232,26 @@ void wp_ecx_free(wp_Ecx* ecx);
 void* wp_ecx_get_key(wp_Ecx* ecx);
 wolfSSL_Mutex* wp_ecx_get_mutex(wp_Ecx* ecx);
 
+/* Internal ML-KEM types and functions. */
+typedef struct wp_MlKem wp_MlKem;
+typedef struct wp_MlKemData wp_MlKemData;
+
+int wp_mlkem_up_ref(wp_MlKem* mlkem);
+void wp_mlkem_free(wp_MlKem* mlkem);
+void* wp_mlkem_get_key(wp_MlKem* mlkem);
+const wp_MlKemData* wp_mlkem_get_data(const wp_MlKem* mlkem);
+word32 wp_mlkem_data_ct_size(const wp_MlKemData* data);
+word32 wp_mlkem_data_ss_size(const wp_MlKemData* data);
+
+/* Internal ML-DSA types and functions. */
+typedef struct wp_MlDsa wp_MlDsa;
+
+int wp_mldsa_up_ref(wp_MlDsa* mldsa);
+void wp_mldsa_free(wp_MlDsa* mldsa);
+void* wp_mldsa_get_key(wp_MlDsa* mldsa);
+int wp_mldsa_get_level(const wp_MlDsa* mldsa);
+int wp_mldsa_get_sig_size(const wp_MlDsa* mldsa);
+
 /* Internal DH types and functions. */
 typedef struct wp_Dh wp_Dh;
 
@@ -325,12 +355,14 @@ extern const OSSL_DISPATCH wp_ed25519_signature_functions[];
 extern const OSSL_DISPATCH wp_ed448_signature_functions[];
 extern const OSSL_DISPATCH wp_hmac_signature_functions[];
 extern const OSSL_DISPATCH wp_cmac_signature_functions[];
+extern const OSSL_DISPATCH wp_mldsa_signature_functions[];
 
 /* Asymmetric cipher implementations. */
 extern const OSSL_DISPATCH wp_rsa_asym_cipher_functions[];
 
 /* KEM implementations. */
 extern const OSSL_DISPATCH wp_rsa_asym_kem_functions[];
+extern const OSSL_DISPATCH wp_mlkem_asym_kem_functions[];
 
 /* Key Management implementations. */
 extern const OSSL_DISPATCH wp_rsa_keymgmt_functions[];
@@ -344,6 +376,12 @@ extern const OSSL_DISPATCH wp_dh_keymgmt_functions[];
 extern const OSSL_DISPATCH wp_hmac_keymgmt_functions[];
 extern const OSSL_DISPATCH wp_cmac_keymgmt_functions[];
 extern const OSSL_DISPATCH wp_kdf_keymgmt_functions[];
+extern const OSSL_DISPATCH wp_mlkem512_keymgmt_functions[];
+extern const OSSL_DISPATCH wp_mlkem768_keymgmt_functions[];
+extern const OSSL_DISPATCH wp_mlkem1024_keymgmt_functions[];
+extern const OSSL_DISPATCH wp_mldsa44_keymgmt_functions[];
+extern const OSSL_DISPATCH wp_mldsa65_keymgmt_functions[];
+extern const OSSL_DISPATCH wp_mldsa87_keymgmt_functions[];
 
 /* Key exchange implementations. */
 extern const OSSL_DISPATCH wp_ecdh_keyexch_functions[];

diff --git a/include/wolfprovider/settings.h b/include/wolfprovider/settings.h
@@ -169,6 +169,18 @@
 #ifdef HAVE_ED448
      #define WP_HAVE_ED448
 #endif
+#ifdef WOLFSSL_HAVE_MLKEM
+    #define WP_HAVE_MLKEM
+    #define WP_HAVE_ML_KEM_512
+    #define WP_HAVE_ML_KEM_768
+    #define WP_HAVE_ML_KEM_1024
+#endif
+#ifdef HAVE_DILITHIUM
+    #define WP_HAVE_MLDSA
+    #define WP_HAVE_ML_DSA_44
+    #define WP_HAVE_ML_DSA_65
+    #define WP_HAVE_ML_DSA_87
+#endif
 #if !defined(NO_AES_CBC) && (defined(WP_HAVE_HMAC) || defined(WP_HAVE_CMAC))
     #define WP_HAVE_KBKDF
 #endif

diff --git a/scripts/build-wolfprovider.sh b/scripts/build-wolfprovider.sh
@@ -32,6 +32,8 @@ show_help() {
   echo "  --debug-silent             Debug logging compiled in but silent by default. Use WOLFPROV_LOG_LEVEL and WOLFPROV_LOG_COMPONENTS env vars to enable at runtime. Requires --debug."
   echo "  --enable-seed-src          Enable SEED-SRC entropy source with /dev/urandom caching for fork-safe entropy."
   echo "                             Note: This also enables WC_RNG_SEED_CB in wolfSSL."
+  echo "  --enable-pqc               Build wolfSSL with ML-KEM and ML-DSA post-quantum algorithms enabled."
+  echo "                             Adds --enable-mlkem --enable-dilithium --enable-experimental to wolfSSL configure."
   echo ""
   echo "Environment Variables:"
   echo "  OPENSSL_TAG                OpenSSL tag to use (e.g., openssl-3.5.0)"
@@ -51,6 +53,7 @@ show_help() {
   echo "  WOLFPROV_FIPS_BASELINE     If set to 1, applies FIPS baseline patch to OpenSSL (mutually exclusive with WOLFPROV_REPLACE_DEFAULT)"
   echo "  WOLFPROV_LEAVE_SILENT      If set to 1, suppress logging of return 0 in functions where return 0 is expected behavior sometimes."
   echo "  WOLFPROV_SEED_SRC          If set to 1, enables SEED-SRC with /dev/urandom caching (also enables WC_RNG_SEED_CB in wolfSSL)"
+  echo "  WOLFPROV_PQC               If set to 1, enables ML-KEM and ML-DSA post-quantum algorithms in wolfSSL"
   echo ""
 }
 
@@ -146,6 +149,9 @@ for arg in "$@"; do
         --enable-seed-src)
             WOLFPROV_SEED_SRC=1
             ;;
+        --enable-pqc)
+            WOLFPROV_PQC=1
+            ;;
         *)
             args_wrong+="$arg, "
             ;;

diff --git a/scripts/utils-wolfssl.sh b/scripts/utils-wolfssl.sh
@@ -38,6 +38,11 @@ if [ "$WOLFPROV_SEED_SRC" = "1" ]; then
     WOLFSSL_FIPS_CONFIG_CFLAGS="${WOLFSSL_FIPS_CONFIG_CFLAGS} -DWC_RNG_SEED_CB"
 fi
 
+# Enable ML-KEM and ML-DSA in wolfSSL when --enable-pqc is requested
+if [ "$WOLFPROV_PQC" = "1" ]; then
+    WOLFSSL_CONFIG_OPTS="${WOLFSSL_CONFIG_OPTS} --enable-mlkem --enable-dilithium --enable-experimental"
+fi
+
 WOLFSSL_DEBUG_ASN_TEMPLATE=${DWOLFSSL_DEBUG_ASN_TEMPLATE:-0}
 WOLFPROV_DISABLE_ERR_TRACE=${WOLFPROV_DISABLE_ERR_TRACE:-0}
 WOLFPROV_DEBUG=${WOLFPROV_DEBUG:-0}

diff --git a/src/include.am b/src/include.am
@@ -36,6 +36,10 @@ libwolfprov_la_SOURCES += src/wp_ecx_exch.c
 libwolfprov_la_SOURCES += src/wp_ecx_sig.c
 libwolfprov_la_SOURCES += src/wp_dh_kmgmt.c
 libwolfprov_la_SOURCES += src/wp_dh_exch.c
+libwolfprov_la_SOURCES += src/wp_mlkem_kmgmt.c
+libwolfprov_la_SOURCES += src/wp_mlkem_kem.c
+libwolfprov_la_SOURCES += src/wp_mldsa_kmgmt.c
+libwolfprov_la_SOURCES += src/wp_mldsa_sig.c
 libwolfprov_la_SOURCES += src/wp_drbg.c
 libwolfprov_la_SOURCES += src/wp_seed_src.c
 libwolfprov_la_SOURCES += src/wp_dec_pem2der.c