To build a mcwolf directory:

    curl -O https://cr.yp.to/2025/20250426-mcwolf/build
    chmod 755 build
    ./build

This clones WolfSSL's git repo, patches WolfSSL for McEliece support, runs ./configure --enable-mceliece, runs make check, and runs wolfcrypt/benchmark/benchmark -pq. Expected output includes some test results such as

    MCELIECE348864 test passed!

There are more ./configure options to selectively enable different sizes, such as ./configure --enable-mceliece348864. Probably useful to split this further into keygen, enc, dec.

The API is much more like the symmetric-crypto APIs than like the ML-KEM API: wire-format inputs and outputs with fixed sizes specified by macros; generally no memory allocation.

Internally, the build script downloads SUPERCOP (which is the distribution mechanism for the official Classic McEliece software), runs a Python script to create some new files in WolfSSL (after which one could remove SUPERCOP: the resulting patched WolfSSL is self-contained), and applies a patch to some existing files. The script isn't trying to be idempotent.

The patch specifically uses the official vec implementation of Classic McEliece. This is portable code, although small devices will want different implementations to reduce stack usage (and really small devices will want a streaming API, as in McTiny). The official avx implementation would be roughly 4x faster on Intel/AMD CPUs with AVX2. Could also add a liboqs hook.

RNG failures are handled by looping, to simplify the RNG callers. The tests added to WolfSSL for this code are very light for the moment, although essentially the same code is more heavily tested in SUPERCOP and in libmceliece.