cisco · bifurcation · Nov 20, 2025 · Nov 12, 2025 · Nov 12, 2025 · Nov 12, 2025
diff --git a/.github/workflows/main_ci.yml b/.github/workflows/main_ci.yml
@@ -35,7 +35,7 @@ jobs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
     - uses: dorny/paths-filter@v3
-      id: filterV
+      id: filter_version
       with:
         filters: |
           hpke:
@@ -45,7 +45,7 @@ jobs:
 
     - id: set-matrix 
       run: |
-        if [ ${{ steps.filter.outputs.hpke }} = "true" ];
+        if [ ${{ steps.filter_version.outputs.hpke }} = "true" ];
         then
           echo "matrix=[\"openssl_1.1\",\"openssl_3\",\"boringssl\"]" >> $GITHUB_OUTPUT;
         else
@@ -63,7 +63,7 @@ jobs:
       uses: jidicula/[email protected]
       with:
         clang-format-version: 16
-        include-regex: '^\./(src|include|test|cmd)/.*\.(cpp|h)$'
+        include-regex: '^\./(src|include|test|cmd|lib)/.*\.(cpp|h)$'
         fallback-style: 'Mozilla'
 
   build-and-unit-test:
@@ -81,7 +81,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
       with:
-        submodules: recursive
+        submodules: true
         fetch-depth: 0
 
     - uses: ./.github/actions/prepare-build
@@ -106,7 +106,7 @@ jobs:
     runs-on: ubuntu-latest
 
     env:
-      CRYPTO_DIR: "./alternatives/openssl_1.1"
+      CRYPTO_DIR: "./alternatives/openssl_3"
 
     steps:
     - uses: actions/checkout@v4
@@ -117,13 +117,13 @@ jobs:
     - uses: ./.github/actions/prepare-build
       with:
         os: ubuntu-latest
-        crypto-dir: openssl_1.1
+        crypto-dir: openssl_3
         cache-dir: ${{ github.workspace }}/vcpkg_cache
 
     - name: Build
       run: |
-        cmake -B "${{ runner.temp }}/build_openssl_1.1" -DVCPKG_MANIFEST_DIR="${{ env.CRYPTO_DIR }}"
-        cmake --build "${{ runner.temp }}/build_openssl_1.1"
+        cmake -B "${{ runner.temp }}/build_openssl_3" -DVCPKG_MANIFEST_DIR="${{ env.CRYPTO_DIR }}"
+        cmake --build "${{ runner.temp }}/build_openssl_3"
 
     - name: Build (Interop Harness)
       run: |

diff --git a/alternatives/openssl_1.1/vcpkg.json b/alternatives/openssl_1.1/vcpkg.json
@@ -8,9 +8,10 @@
       "version>=": "1.1.1n"
     },
     "catch2",
+    "liboqs",
     "nlohmann-json"
   ],
-  "builtin-baseline": "eb33d2f7583405fca184bcdf7fdd5828ec88ac05",
+  "builtin-baseline": "3bbc2809d3625cb83a0d7cbd413bd6ad769d46d4",
   "overrides": [
     {
       "name": "openssl",

diff --git a/alternatives/openssl_3/vcpkg.json b/alternatives/openssl_3/vcpkg.json
@@ -5,7 +5,7 @@
   "dependencies": [
     {
       "name": "openssl",
-      "version>=": "3.0.7"
+      "version>=": "3.5.0"
     },
     "catch2",
     "nlohmann-json"
@@ -14,7 +14,7 @@
   "overrides": [
     {
       "name": "openssl",
-      "version": "3.0.7"
+      "version": "3.5.0"
     },
     {
       "name": "catch2",

diff --git a/cmd/interop/CMakeLists.txt b/cmd/interop/CMakeLists.txt
@@ -14,7 +14,7 @@ set(CMAKE_CXX_STANDARD_REQUIRED ON)
 
 if (CMAKE_CXX_COMPILER_ID MATCHES "Clang" OR CMAKE_CXX_COMPILER_ID MATCHES "GNU")
   # XXX(RLB) -Wmissing-declarations causes gRPC generated code not to build
-  add_compile_options(-Wall -pedantic -Wextra -Werror)
+  add_compile_options(-Wall -pedantic -Wextra -Werror -Wno-nullability-extension)
 elseif(MSVC)
   # XXX(RLB) Protobuf and gRPC cannot build with these additional errors enabled
   # add_compile_options(/W4 /WX)

diff --git a/cmd/interop/Makefile b/cmd/interop/Makefile
@@ -1,13 +1,15 @@
 BUILD_DIR=build
 TEST_VECTOR_DIR=${BUILD_DIR}/third_party/src/mls-interop-extern/test-vectors
 APP_NAME=mlspp_client
+TOOLCHAIN_FILE=../../vcpkg/scripts/buildsystems/vcpkg.cmake
 
 .PHONY: all run format clean cclean
 
 all: ${BUILD_DIR}/${APP_NAME}
 
 ${BUILD_DIR}:
-	cmake -B${BUILD_DIR} -DCMAKE_BUILD_TYPE=Debug .
+	cmake -B${BUILD_DIR} -DCMAKE_BUILD_TYPE=Debug . \
+				-DCMAKE_TOOLCHAIN_FILE=${TOOLCHAIN_FILE}
 
 ${BUILD_DIR}/${APP_NAME}: ${BUILD_DIR} src/*.cpp
 	cmake --build ${BUILD_DIR} --target ${APP_NAME}

diff --git a/cmd/interop/vcpkg.json b/cmd/interop/vcpkg.json
@@ -5,18 +5,18 @@
   "dependencies": [
    {
       "name": "openssl",
-      "version>=": "1.1.1n"
+      "version>=": "3.5.0"
     },
     "protobuf",
     "grpc",
     "gflags",
     "nlohmann-json"
   ],
-  "builtin-baseline": "0d5cae153065957df7f382de7c1549ccc88027e5",
+  "builtin-baseline": "3bbc2809d3625cb83a0d7cbd413bd6ad769d46d4",
   "overrides": [
     {
       "name": "openssl",
-      "version-string": "1.1.1n"
+      "version-string": "3.5.0"
     }
   ]
 }
diff --git a/lib/hpke/CMakeLists.txt b/lib/hpke/CMakeLists.txt
@@ -42,11 +42,11 @@ if ( OPENSSL_FOUND )
 
     elseif (REQUIRE_BORINGSSL)
       message(FATAL_ERROR "BoringSSL required but not found")
-    endif ()
-
-    if (${OPENSSL_VERSION} VERSION_GREATER_EQUAL 3)
+    elseif (${OPENSSL_VERSION} VERSION_GREATER_EQUAL 3)
       target_compile_definitions(${CURRENT_LIB_NAME} PUBLIC WITH_OPENSSL3)
-    elseif(${OPENSSL_VERSION} VERSION_LESS 1.1.1)
+    elseif (${OPENSSL_VERSION} VERSION_GREATER_EQUAL 1.1.1)
+      set(USING_LIBOQS ON)
+    else()
       message(FATAL_ERROR "OpenSSL 1.1.1 or greater is required")
     endif()
     message(STATUS "OpenSSL Found: ${OPENSSL_VERSION}")
@@ -63,6 +63,12 @@ target_link_libraries(${CURRENT_LIB_NAME}
     OpenSSL::Crypto
 )
 
+# LibOQS as needed.
+if(USING_LIBOQS)
+  find_package(liboqs)
+  target_link_libraries(${CURRENT_LIB_NAME} PRIVATE OQS::oqs)
+endif()
+
 target_include_directories(${CURRENT_LIB_NAME}
   PUBLIC
     $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include>

diff --git a/lib/hpke/include/hpke/hpke.h b/lib/hpke/include/hpke/hpke.h
@@ -19,6 +19,9 @@ struct KEM
     DHKEM_X25519_SHA256 = 0x0020,
 #if !defined(WITH_BORINGSSL)
     DHKEM_X448_SHA512 = 0x0021,
+    MLKEM512 = 0x0040,
+    MLKEM768 = 0x0041,
+    MLKEM1024 = 0x0042,
 #endif
   };
 

diff --git a/lib/hpke/scripts/format-test-vectors.go b/lib/hpke/scripts/format-test-vectors.go
@@ -63,10 +63,10 @@ func (b ByteString) MarhsalTLS() ([]byte, error) {
 }
 
 type EncryptionTestVector struct {
-	Plaintext  ByteString `json:"plaintext"`
+	Plaintext  ByteString `json:"pt"`
 	AAD        ByteString `json:"aad"`
 	Nonce      ByteString `json:"nonce"`
-	Ciphertext ByteString `json:"ciphertext"`
+	Ciphertext ByteString `json:"ct"`
 }
 
 type EncryptionTestVectors []EncryptionTestVector

diff --git a/lib/hpke/scripts/go.mod b/lib/hpke/scripts/go.mod
@@ -1,6 +1,8 @@
 module main
 
-go 1.16
+go 1.23.0
+
+toolchain go1.24.10
 
 require (
 	github.com/cisco/go-tls-syntax v0.0.0-20200617162716-46b0cfb76b9b

diff --git a/lib/hpke/src/hpke.cpp b/lib/hpke/src/hpke.cpp
@@ -6,6 +6,7 @@
 #include "common.h"
 #include "dhkem.h"
 #include "hkdf.h"
+#include "mlkem.h"
 
 #include <limits>
 #include <stdexcept>
@@ -132,6 +133,27 @@ KEM::get<KEM::ID::DHKEM_X448_SHA512>()
 {
   return DHKEM::get<KEM::ID::DHKEM_X448_SHA512>();
 }
+
+template<>
+const KEM&
+KEM::get<KEM::ID::MLKEM512>()
+{
+  return MLKEM::get<KEM::ID::MLKEM512>();
+}
+
+template<>
+const KEM&
+KEM::get<KEM::ID::MLKEM768>()
+{
+  return MLKEM::get<KEM::ID::MLKEM768>();
+}
+
+template<>
+const KEM&
+KEM::get<KEM::ID::MLKEM1024>()
+{
+  return MLKEM::get<KEM::ID::MLKEM1024>();
+}
 #endif
 
 bytes
@@ -358,6 +380,12 @@ select_kem(KEM::ID id)
 #if !defined(WITH_BORINGSSL)
     case KEM::ID::DHKEM_X448_SHA512:
       return KEM::get<KEM::ID::DHKEM_X448_SHA512>();
+    case KEM::ID::MLKEM512:
+      return KEM::get<KEM::ID::MLKEM512>();
+    case KEM::ID::MLKEM768:
+      return KEM::get<KEM::ID::MLKEM768>();
+    case KEM::ID::MLKEM1024:
+      return KEM::get<KEM::ID::MLKEM1024>();
 #endif
     default:
       throw std::runtime_error("Unsupported algorithm");