Add ML-KEM and ML-DSA support

.dockerignore

@@ -0,0 +1,9 @@
+# Build artifacts from build-wolfprovider.sh are re-created inside the image;
+# never ship them in the Docker build context (used by .github/nginx/Dockerfile).
+openssl-source
+openssl-install
+wolfssl-source
+wolfssl-install
+wolfprov-install
+**/*.bak
+.git

.github/README.md

@@ -96,7 +96,7 @@ gh workflow run pr-osp-select.yml --ref <branch> -f jobs="all"
 
 ### What runs in the nightly fan-out
 
-42 workflows total: 39 third-party OSS integrations, 2 internal
+43 workflows total: 40 third-party OSS integrations, 2 internal
 validations, and the static-analysis suite. Every one of these patches
 the upstream project (where needed) via `osp/wolfProvider/<app>/*.patch`
 from [wolfssl/osp](https://github.com/wolfssl/osp), builds it against
@@ -112,6 +112,7 @@ exercised, with and without `WOLFPROV_FORCE_FAIL=1`.
 | `openvpn.yml` | OpenVPN | control-channel TLS, tls-auth/tls-crypt HMAC, data-channel ciphers |
 | `stunnel.yml` | stunnel TLS proxy | server + client TLS 1.2 termination (TLS 1.3 + X25519/X448 paths skipped in FIPS) |
 | `nginx.yml` | nginx web server | server-side TLS, certificate selection, OCSP stapling |
+| `nginx-pqc.yml` | oqs-demos nginx (PQC) | ML-DSA (FIPS 204) cert auth + ML-KEM/hybrid (FIPS 203) KEX over TLS 1.3 (master + latest -stable, v5.9.2 PQC floor) |
 | `socat.yml` | socat (multipurpose relay) | OpenSSL bridge mode (TLS in/out) |
 | `tcpdump.yml` | tcpdump packet capture | build + link against wolfprov-backed libssl (no live decrypt) |
 | `tnftp.yml` | NetBSD FTP client | FTPS (TLS over FTP control + data) |

.github/nginx/Dockerfile

@@ -0,0 +1,93 @@
+# oqs-demos nginx, but with wolfProvider in place of liboqs + oqs-provider.
+#
+# Mirrors https://github.com/open-quantum-safe/oqs-demos/tree/main/nginx: build
+# a quantum-safe OpenSSL provider, build nginx against that OpenSSL, generate an
+# ML-DSA CA + server certificate, and serve TLS 1.3 with PQC groups. The only
+# swap is the crypto provider: wolfProvider (backed by wolfSSL) instead of
+# oqs-provider, restricted to the FIPS 203 / FIPS 204 algorithms wolfProvider
+# implements. The default groups and SIG_ALG below are the wolfProvider-
+# supported subset of the oqs-demos defaults.
+#
+# Build context is the wolfProvider repository root:
+#   docker build -f .github/nginx/Dockerfile -t wolfprov-nginx .
+
+ARG WOLFSSL_REF=master
+ARG OPENSSL_REF=openssl-3.6.0
+ARG NGINX_VERSION=1.28.0
+ARG SIG_ALG=ML-DSA-65
+ARG DEFAULT_GROUPS=MLKEM512:MLKEM768:MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768:SecP384r1MLKEM1024
+ARG REPLACE_DEFAULT_FLAG=--replace-default
+ARG WP_OPENSSL_CONF=/opt/wolfProvider/openssl-install/ssl/openssl.cnf
+
+FROM ubuntu:22.04 AS build
+ARG WOLFSSL_REF
+ARG OPENSSL_REF
+ARG NGINX_VERSION
+ARG SIG_ALG
+ARG DEFAULT_GROUPS
+ARG REPLACE_DEFAULT_FLAG
+ARG WP_OPENSSL_CONF
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        build-essential git cmake autoconf automake libtool pkg-config \
+        libpcre3-dev zlib1g-dev wget ca-certificates perl python3 \
+    && rm -rf /var/lib/apt/lists/*
+
+# Build OpenSSL 3.6+, wolfSSL, and wolfProvider. REPLACE_DEFAULT_FLAG is
+# --replace-default (wolfProvider is the compile-time default) or empty
+# (wolfProvider is a loadable module selected at runtime via provider.conf).
+# The matrix passes both REPLACE_DEFAULT_FLAG and the matching WP_OPENSSL_CONF.
+COPY . /opt/wolfProvider
+WORKDIR /opt/wolfProvider
+RUN OPENSSL_TAG=${OPENSSL_REF} WOLFSSL_TAG=${WOLFSSL_REF} \
+        ./scripts/build-wolfprovider.sh --enable-pqc ${REPLACE_DEFAULT_FLAG}
+
+ENV WOLFPROV_ROOT=/opt/wolfProvider
+ENV O=/opt/wolfProvider/openssl-install
+
+# Build nginx against the wolfProvider-backed OpenSSL. The download and build
+# run BEFORE LD_LIBRARY_PATH points at the wolfProvider OpenSSL: otherwise
+# wget's own HTTPS to nginx.org would route through wolfProvider and fail
+# certificate verification. nginx finds the libs at runtime via -rpath.
+WORKDIR /opt/wolfProvider
+RUN wget -q "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" \
+    && tar -zxf "nginx-${NGINX_VERSION}.tar.gz" && rm "nginx-${NGINX_VERSION}.tar.gz"
+WORKDIR /opt/wolfProvider/nginx-${NGINX_VERSION}
+RUN ./configure --prefix=/opt/nginx --with-http_ssl_module \
+        --with-cc-opt="-I${O}/include" \
+        --with-ld-opt="-L${O}/lib -L${O}/lib64 -Wl,-rpath,${O}/lib -Wl,-rpath,${O}/lib64 -Wl,-rpath,/opt/wolfProvider/wolfprov-install/lib -Wl,-rpath,/opt/wolfProvider/wolfssl-install/lib" \
+    && make -j"$(nproc)" && make install
+
+# From here on cert generation and the runtime server go through wolfProvider.
+# In replace-default builds WP_OPENSSL_CONF is the stock openssl.cnf (a no-op);
+# in non-replace builds it is provider.conf, which activates only wolfProvider
+# so the PQC crypto is genuinely served by wolfSSL, not OpenSSL's native PQC.
+ENV LD_LIBRARY_PATH=/opt/wolfProvider/wolfprov-install/lib:/opt/wolfProvider/wolfssl-install/lib:/opt/wolfProvider/openssl-install/lib:/opt/wolfProvider/openssl-install/lib64
+ENV OPENSSL_CONF=${WP_OPENSSL_CONF}
+ENV OPENSSL_MODULES=/opt/wolfProvider/wolfprov-install/lib
+
+# Generate the ML-DSA CA + server certificate through wolfProvider (the oqs-demos
+# SIG_ALG=mldsa65 arrangement) and lay down the PQC nginx config + test page.
+WORKDIR /opt/nginx
+COPY .github/nginx/nginx.conf /opt/nginx/conf/nginx.conf
+RUN mkdir -p pki cacert logs html \
+    && echo "wolfProvider quantum-safe nginx" > html/index.html \
+    && "${O}/bin/openssl" req -x509 -new -newkey "${SIG_ALG}" -nodes \
+        -keyout cacert/CA.key -out cacert/CA.crt -subj "/CN=wolfProvider PQC CA" \
+        -days 365 -addext basicConstraints=critical,CA:TRUE \
+        -addext keyUsage=critical,keyCertSign \
+    && "${O}/bin/openssl" genpkey -algorithm "${SIG_ALG}" -out pki/server.key \
+    && "${O}/bin/openssl" req -new -key pki/server.key -subj "/CN=oqs-nginx" \
+        -addext subjectAltName=DNS:localhost -out server.csr \
+    && "${O}/bin/openssl" x509 -req -in server.csr -CA cacert/CA.crt -CAkey cacert/CA.key \
+        -CAcreateserial -days 365 -copy_extensions copy -out pki/server.crt
+
+COPY .github/nginx/test.sh /opt/nginx/test.sh
+RUN chmod +x /opt/nginx/test.sh
+
+ENV DEFAULT_GROUPS=${DEFAULT_GROUPS}
+EXPOSE 4433
+
+# Default: serve. The CI test step overrides this with test.sh.
+CMD ["/opt/nginx/sbin/nginx", "-c", "/opt/nginx/conf/nginx.conf", "-g", "daemon off;"]

.github/nginx/nginx.conf

@@ -0,0 +1,39 @@
+worker_processes  auto;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    # No mime.types include: the relative path is install-layout dependent and
+    # the test serves a single plain page, so default_type is enough.
+    default_type  application/octet-stream;
+    sendfile        on;
+    keepalive_timeout  65;
+
+    # Quantum-safe HTTPS server: ML-DSA certificate (FIPS 204) authentication
+    # and ML-KEM / hybrid groups (FIPS 203) for key exchange, served through
+    # wolfProvider. The group set is the wolfProvider-supported subset of the
+    # oqs-demos nginx DEFAULT_GROUPS.
+    server {
+        listen       0.0.0.0:4433 ssl;
+        server_name  localhost;
+
+        access_log  /opt/nginx/logs/access.log;
+        error_log   /opt/nginx/logs/error.log;
+
+        ssl_certificate      /opt/nginx/pki/server.crt;
+        ssl_certificate_key  /opt/nginx/pki/server.key;
+
+        ssl_session_cache    shared:SSL:1m;
+        ssl_session_timeout  5m;
+
+        ssl_protocols TLSv1.3;
+        ssl_ecdh_curve MLKEM512:MLKEM768:MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768:SecP384r1MLKEM1024;
+
+        location / {
+            root   html;
+            index  index.html index.htm;
+        }
+    }
+}

.github/nginx/test.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+#
+# oqs-demos nginx connection test, wolfProvider edition. Starts the quantum-safe
+# nginx and connects once per supported group (the s_client / HTTP GET
+# equivalent of oqs-demos testrun.py's "curl --cacert CA.crt --curves <kem>"),
+# asserting the negotiated PQC group, the ML-DSA peer signature, a verified
+# chain, and that the page is served. Exits non-zero if any group fails; the CI
+# step inverts that under WOLFPROV_FORCE_FAIL=1.
+
+O=/opt/wolfProvider/openssl-install
+CA=/opt/nginx/cacert/CA.crt
+PORT=4433
+# NB: not "GROUPS" -- that is a bash special array (the user's group IDs).
+KEX_GROUPS="X25519MLKEM768 SecP256r1MLKEM768 SecP384r1MLKEM1024 MLKEM512 MLKEM768 MLKEM1024"
+
+export LD_LIBRARY_PATH="/opt/wolfProvider/wolfprov-install/lib:/opt/wolfProvider/wolfssl-install/lib:${O}/lib:${O}/lib64${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
+
+echo "Quantum-safe groups under test: ${KEX_GROUPS}"
+/opt/nginx/sbin/nginx -c /opt/nginx/conf/nginx.conf
+sleep 2
+if ! "${O}/bin/openssl" s_client -connect "localhost:${PORT}" </dev/null \
+        >/dev/null 2>&1; then
+    echo "WARNING: nginx did not answer on ${PORT}; recent error log:"
+    tail -n 5 /opt/nginx/logs/error.log 2>/dev/null
+fi
+
+fail=0
+for g in ${KEX_GROUPS}; do
+    out=$( (printf 'GET / HTTP/1.0\r\nHost: localhost\r\n\r\n'; sleep 1) \
+        | "${O}/bin/openssl" s_client -connect "localhost:${PORT}" \
+            -groups "${g}" -CAfile "${CA}" -servername localhost 2>&1)
+
+    if echo "${out}" | grep -q "Negotiated TLS1.3 group: ${g}" \
+        && echo "${out}" | grep -qi "Peer signature type: mldsa65" \
+        && echo "${out}" | grep -q "Verify return code: 0 (ok)" \
+        && echo "${out}" | grep -q "wolfProvider quantum-safe nginx"; then
+        echo "PASS: ${g} (ML-DSA auth + quantum-safe key exchange)"
+    else
+        echo "FAIL: ${g}"
+        echo "${out}" | grep -iE "group|signature|verify return|alert|error" | head -4
+        fail=1
+    fi
+done
+
+/opt/nginx/sbin/nginx -c /opt/nginx/conf/nginx.conf -s stop 2>/dev/null
+
+if [ "${fail}" -eq 0 ]; then
+    echo "All quantum-safe groups served successfully."
+else
+    echo "One or more quantum-safe groups failed."
+fi
+exit "${fail}"

.github/workflows/nginx-pqc.yml

@@ -0,0 +1,149 @@
+name: Nginx PQC Tests
+
+# Runs the open-quantum-safe oqs-demos nginx demo with wolfProvider swapped in
+# for liboqs + oqs-provider (.github/nginx/Dockerfile), then runs oqs-demos'
+# own connection test (.github/nginx/test.sh): connect once per quantum-safe
+# group and assert ML-DSA (FIPS 204) certificate authentication plus an
+# ML-KEM / hybrid (FIPS 203) key exchange.
+#
+# Only the PQC path is exercised. Each wolfSSL ref runs in 4 modes:
+# replace-default and non-replace (wolfProvider loaded via provider.conf), each
+# in normal and force-fail. Versioning matches the other PQC workflows: wolfSSL
+# latest -stable (PQC floor v5.9.2-stable) and master, against the latest
+# OpenSSL 3.x release. The OSP source (nginx) is pinned to a fixed release in
+# the Dockerfile -- upstream master is unstable and non-reproducible.
+
+on:
+  workflow_call:
+    inputs:
+      wolfssl_refs_json:
+        description: "JSON array of wolfssl refs to test; empty = master + latest -stable (pre-PQC-floor refs are dropped)"
+        required: false
+        type: string
+        default: ""
+  workflow_dispatch: {}
+
+jobs:
+  discover-versions:
+    name: Resolve wolfSSL/OpenSSL versions
+    runs-on: ubuntu-22.04
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+      openssl-tag: ${{ steps.set-matrix.outputs.openssl-tag }}
+    steps:
+      - name: Resolve wolfSSL refs and latest OpenSSL release
+        id: set-matrix
+        env:
+          INPUT_REFS: ${{ inputs.wolfssl_refs_json }}
+        run: |
+          set -euo pipefail
+          LATEST=$(git ls-remote --tags --refs \
+              https://github.com/wolfSSL/wolfssl.git 'v*-stable' \
+              | awk -F/ '{print $NF}' | sort -V | tail -n 1)
+          if [ -z "${LATEST:-}" ]; then
+            echo "::error::Could not resolve latest wolfSSL -stable tag"
+            exit 1
+          fi
+          # PQC needs OpenSSL 3.6+, so always build against the latest release.
+          OSSL=$(git ls-remote --tags --refs \
+              https://github.com/openssl/openssl.git 'openssl-3.*' \
+              | awk -F/ '{print $NF}' | grep -E '^openssl-3\.[0-9.]+$' \
+              | sort -V | tail -n 1)
+          if [ -z "${OSSL:-}" ]; then
+            echo "::error::Could not resolve latest OpenSSL release tag"
+            exit 1
+          fi
+          echo "Latest stable wolfSSL: $LATEST"
+          echo "Latest OpenSSL: $OSSL"
+          echo "openssl-tag=$OSSL" >> "$GITHUB_OUTPUT"
+          # Caller can override the ref set (e.g. nightly Wave 2); default is
+          # master + latest -stable.
+          if [ -n "${INPUT_REFS:-}" ]; then
+            REFS=$(printf '%s' "$INPUT_REFS" | jq -r '.[]')
+          else
+            REFS=$(printf '%s\n%s\n' "master" "$LATEST")
+          fi
+          # PQC needs the wc_MlDsaKey_* seed/message API that lands after
+          # v5.9.1-stable, so the floor is v5.9.2-stable. master is always
+          # eligible; a -stable ref only runs once it is past the floor. A
+          # pre-floor ref (e.g. v5.8.4-stable from Wave 2) is dropped -- it
+          # would just fail the --enable-pqc gate.
+          PQC_FLOOR="v5.9.1-stable"
+          ELIGIBLE=()
+          for ref in $REFS; do
+            if [ "$ref" = "master" ]; then
+              ELIGIBLE+=("$ref")
+            elif [ "$ref" != "$PQC_FLOOR" ] && \
+                 [ "$(printf '%s\n%s\n' "$PQC_FLOOR" "$ref" \
+                      | sort -V | tail -n1)" = "$ref" ]; then
+              ELIGIBLE+=("$ref")
+            else
+              echo "::notice::Skipping pre-PQC-floor wolfSSL ref $ref (floor past $PQC_FLOOR)"
+            fi
+          done
+          if [ ${#ELIGIBLE[@]} -eq 0 ]; then
+            REFS_JSON='[]'
+          else
+            REFS_JSON=$(printf '%s\n' "${ELIGIBLE[@]}" | jq -R . | jq -sc .)
+          fi
+          echo "Eligible wolfSSL refs: $REFS_JSON"
+          # Each eligible wolfSSL ref expands to 4 rows: replace-default and
+          # non-replace, each in normal and force-fail anti-test mode. The
+          # matrix owns the replace-default and force-fail axes; the test step
+          # hands its raw result to check-workflow-result.sh which inverts the
+          # force-fail expectation.
+          MATRIX=$(jq -nc --argjson refs "$REFS_JSON" '
+            def rows($ref; $lbl):
+              [ {"replace":true,  "ff":"WOLFPROV_FORCE_FAIL=1",
+                 "sfx":" [replace-default] [force-fail]"},
+                {"replace":true,  "ff":"", "sfx":" [replace-default]"},
+                {"replace":false, "ff":"WOLFPROV_FORCE_FAIL=1",
+                 "sfx":" [non-replace] [force-fail]"},
+                {"replace":false, "ff":"", "sfx":" [non-replace]"} ]
+              | map({"name":($lbl+.sfx), "wolfssl-ref":$ref,
+                     "replace":.replace, "force_fail":.ff});
+            { include: ( $refs
+                | map(rows(.; (if . == "master" then "master"
+                               else "stable (" + . + ")" end)))
+                | add // [] ) }')
+          echo "matrix=$MATRIX" >> "$GITHUB_OUTPUT"
+
+  nginx-pqc:
+    name: ${{ matrix.name }}
+    needs: discover-versions
+    runs-on: ubuntu-22.04
+    timeout-minutes: 60
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.discover-versions.outputs.matrix) }}
+    steps:
+      - name: Checkout wolfProvider
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      # Build the oqs-demos nginx image with wolfProvider in place of
+      # oqs-provider. nginx is pinned to release-1.28.0 in the Dockerfile.
+      - name: Build quantum-safe nginx image
+        run: |
+          docker build \
+            --build-arg WOLFSSL_REF=${{ matrix.wolfssl-ref }} \
+            --build-arg OPENSSL_REF=${{ needs.discover-versions.outputs.openssl-tag }} \
+            --build-arg REPLACE_DEFAULT_FLAG=${{ matrix.replace && '--replace-default' || '' }} \
+            --build-arg WP_OPENSSL_CONF=${{ matrix.replace && '/opt/wolfProvider/openssl-install/ssl/openssl.cnf' || '/opt/wolfProvider/provider.conf' }} \
+            -f .github/nginx/Dockerfile -t wolfprov-nginx .
+
+      # Run oqs-demos' connection test against the running server. In normal
+      # mode every quantum-safe group must negotiate with an ML-DSA verified
+      # chain; in force-fail mode wolfProvider fails every operation so the
+      # handshakes break and check-workflow-result.sh inverts that to a pass,
+      # proving wolfProvider genuinely served the PQC crypto.
+      - name: Run oqs-demos nginx PQC connection test
+        shell: bash
+        run: |
+          set +e
+          docker run --rm -e ${{ matrix.force_fail || 'WOLFPROV_NOOP=1' }} \
+            wolfprov-nginx /opt/nginx/test.sh 2>&1 | tee nginx-pqc.log
+          TEST_RESULT=${PIPESTATUS[0]}
+          $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh \
+            $TEST_RESULT "${{ matrix.force_fail }}" nginx-pqc

.github/workflows/nightly-osp.yml

@@ -6,6 +6,8 @@ name: Nightly OSP Suite
 # with if: always() so a single Wave 1 failure doesn't skip the
 # older-line coverage. multi-compiler and static-analysis run once
 # outside the waves.
+# nginx-pqc is Wave 1 only: PQC has a v5.9.2-stable floor, so the
+# v5.8.4-stable Wave 2 line has no eligible ref to run.
 
 on:
   schedule:
@@ -49,6 +51,7 @@ jobs:
   libwebsockets-591:   { uses: ./.github/workflows/libwebsockets.yml,   }
   net-snmp-591:        { uses: ./.github/workflows/net-snmp.yml,        }
   nginx-591:           { uses: ./.github/workflows/nginx.yml,           }
+  nginx-pqc-591:       { uses: ./.github/workflows/nginx-pqc.yml,       }
   openldap-591:        { uses: ./.github/workflows/openldap.yml,        }
   opensc-591:          { uses: ./.github/workflows/opensc.yml,          }
   openssh-591:         { uses: ./.github/workflows/openssh.yml,         }
@@ -94,6 +97,7 @@ jobs:
       - libwebsockets-591
       - net-snmp-591
       - nginx-591
+      - nginx-pqc-591
       - openldap-591
       - opensc-591
       - openssh-591

.github/workflows/pr-osp-select.yml

@@ -131,6 +131,10 @@ jobs:
     needs: select
     if: contains(needs.select.outputs.run, ' all ') || contains(needs.select.outputs.run, ' nginx ')
     uses: ./.github/workflows/nginx.yml
+  nginx-pqc:
+    needs: select
+    if: contains(needs.select.outputs.run, ' all ') || contains(needs.select.outputs.run, ' nginx-pqc ')
+    uses: ./.github/workflows/nginx-pqc.yml
   openldap:
     needs: select
     if: contains(needs.select.outputs.run, ' all ') || contains(needs.select.outputs.run, ' openldap ')