Enable and use ML-KEM by default

* Enable ML-KEM by default
* Only allow three to-be-standardized hybrid PQ/T combinatations by
  default
* Use X25519MLKEM768 as the default KeyShare in the ClientHello (if user
  does not override that)
* Disable standalone ML-KEM in supported groups by default (enable with
  --enable-tls-mlkem-standalone)
* Disable extra OQS-based hybrid PQ/T curves by default and gate
  behind --enable-experimental (enable with --enable-extra-pqc-hybrids)
* Reorder the SupportedGroups extension to reflect the preferences
* Reorder the preferredGroup array to also reflect the same preferences
* Enable DTLS1.3 ClientHello fragmentation by default when both DTLS1.3
  and ML-KEM are enabled

Author: Frauschi

.github/workflows/cmake.yml

@@ -51,7 +51,7 @@ jobs:
             -DWOLFSSL_CURVE448:STRING=yes -DWOLFSSL_DEBUG:BOOL=yes -DWOLFSSL_DES3:BOOL=ON \
             -DWOLFSSL_DES3_TLS_SUITES:BOOL=no -DWOLFSSL_DH:STRING=yes -DWOLFSSL_DH_DEFAULT_PARAMS:BOOL=yes \
             -DWOLFSSL_DSA:BOOL=yes -DWOLFSSL_DTLS:BOOL=ON -DWOLFSSL_DTLS13:BOOL=yes \
-            -DWOLFSSL_DTLS_CID:BOOL=yes -DWOLFSSL_ECC:STRING=yes \
+            -DWOLFSSL_DTLS_CID:BOOL=yes -DWOLFSSL_DTLS_CH_FRAG:BOOL=yes -DWOLFSSL_ECC:STRING=yes \
             -DWOLFSSL_ECCCUSTCURVES:STRING=all -DWOLFSSL_ECCSHAMIR:BOOL=yes \
             -DWOLFSSL_ECH:BOOL=yes -DWOLFSSL_ED25519:BOOL=yes -DWOLFSSL_ED448:STRING=yes \
             -DWOLFSSL_ENCKEYS:BOOL=yes -DWOLFSSL_ENC_THEN_MAC:BOOL=yes -DWOLFSSL_ERROR_QUEUE:BOOL=yes \
@@ -77,10 +77,9 @@ jobs:
             -DWOLFSSL_TICKET_NONCE_MALLOC:BOOL=yes -DWOLFSSL_TLS13:BOOL=yes -DWOLFSSL_TLSV12:BOOL=yes \
             -DWOLFSSL_TLSX:BOOL=yes -DWOLFSSL_TPM:BOOL=yes -DWOLFSSL_CLU:BOOL=yes -DWOLFSSL_USER_SETTINGS:BOOL=no \
             -DWOLFSSL_USER_SETTINGS_ASM:BOOL=no -DWOLFSSL_WOLFSSH:BOOL=ON -DWOLFSSL_X86_64_BUILD_ASM:BOOL=yes \
-            -DWOLFSSL_MLKEM=1 -DWOLFSSL_LMS=1 -DWOLFSSL_LMSSHA256192=1 -DWOLFSSL_EXPERIMENTAL=1 \
-            -DWOLFSSL_X963KDF:BOOL=yes -DWOLFSSL_DILITHIUM:BOOL=yes -DWOLFSSL_PKCS11:BOOL=yes \
-            -DWOLFSSL_ECCSI:BOOL=yes -DWOLFSSL_SAKKE:BOOL=yes -DWOLFSSL_SIPHASH:BOOL=yes \
-            -DCMAKE_C_FLAGS="-DWOLFSSL_DTLS_CH_FRAG" \
+            -DWOLFSSL_MLKEM:BOOL=yes -DWOLFSSL_EXTRA_PQC_HYBRIDS:BOOL=yes -DWOLFSSL_LMS:BOOL=yes \
+            -DWOLFSSL_LMSSHA256192:BOOL=yes -DWOLFSSL_X963KDF:BOOL=yes -DWOLFSSL_DILITHIUM:BOOL=yes \
+            -DWOLFSSL_PKCS11:BOOL=yes -DWOLFSSL_ECCSI:BOOL=yes -DWOLFSSL_SAKKE:BOOL=yes -DWOLFSSL_SIPHASH:BOOL=yes \
             ..
         cmake --build .
         ctest -j $(nproc)

.github/workflows/psk.yml

@@ -18,9 +18,9 @@ jobs:
       matrix:
         config: [
           # Add new configs here
-          '--enable-psk C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --disable-rsa --disable-ecc --disable-dh',
-          '--disable-oldtls --disable-tls13 --enable-psk -disable-rsa --disable-dh -disable-ecc --disable-asn C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --enable-lowresource --enable-singlethreaded --disable-asm --disable-errorstrings --disable-pkcs12 --disable-sha3 --disable-sha224 --disable-sha384 --disable-sha512 --disable-sha --disable-md5 -disable-aescbc --disable-chacha --disable-poly1305 --disable-coding --disable-sp-math-all',
-          '--disable-oldtls --disable-tlsv12 --enable-tls13 --enable-psk -disable-rsa --disable-dh -disable-ecc --disable-asn C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --enable-lowresource --enable-singlethreaded --disable-asm --disable-errorstrings --disable-pkcs12 --disable-sha3 --disable-sha224 --disable-sha384 --disable-sha512 --disable-sha --disable-md5 -disable-aescbc --disable-chacha --disable-poly1305 --disable-coding --disable-sp-math-all'
+          '--enable-psk C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --disable-rsa --disable-ecc --disable-dh --disable-mlkem',
+          '--disable-oldtls --disable-tls13 --enable-psk -disable-rsa --disable-dh -disable-ecc --disable-asn C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --enable-lowresource --enable-singlethreaded --disable-asm --disable-errorstrings --disable-pkcs12 --disable-sha3 --disable-sha224 --disable-sha384 --disable-sha512 --disable-sha --disable-md5 -disable-aescbc --disable-chacha --disable-poly1305 --disable-coding --disable-sp-math-all --disable-mlkem',
+          '--disable-oldtls --disable-tlsv12 --enable-tls13 --enable-psk -disable-rsa --disable-dh -disable-ecc --disable-asn C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --enable-lowresource --enable-singlethreaded --disable-asm --disable-errorstrings --disable-pkcs12 --disable-sha3 --disable-sha224 --disable-sha384 --disable-sha512 --disable-sha --disable-md5 -disable-aescbc --disable-chacha --disable-poly1305 --disable-coding --disable-sp-math-all --disable-mlkem'
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'

.github/workflows/rust-wrapper.yml

@@ -39,36 +39,36 @@ jobs:
           '',
           '--enable-all',
           '--enable-cryptonly --disable-examples',
-          '--enable-cryptonly --disable-examples --disable-aes --disable-aesgcm',
-          '--enable-cryptonly --disable-examples --disable-aescbc',
-          '--enable-cryptonly --disable-examples --disable-aeseax',
-          '--enable-cryptonly --disable-examples --disable-aesecb',
-          '--enable-cryptonly --disable-examples --disable-aesccm',
-          '--enable-cryptonly --disable-examples --disable-aescfb',
-          '--enable-cryptonly --disable-examples --disable-aesctr',
-          '--enable-cryptonly --disable-examples --disable-aescts',
-          '--enable-cryptonly --disable-examples --disable-aesgcm',
-          '--enable-cryptonly --disable-examples --disable-aesgcm-stream',
-          '--enable-cryptonly --disable-examples --disable-aesofb',
-          '--enable-cryptonly --disable-examples --disable-aesxts',
-          '--enable-cryptonly --disable-examples --disable-cmac',
-          '--enable-cryptonly --disable-examples --disable-dh',
-          '--enable-cryptonly --disable-examples --disable-ecc',
-          '--enable-cryptonly --disable-examples --disable-ed25519',
-          '--enable-cryptonly --disable-examples --disable-ed25519-stream',
-          '--enable-cryptonly --disable-examples --disable-ed448',
-          '--enable-cryptonly --disable-examples --disable-ed448-stream',
-          '--enable-cryptonly --disable-examples --disable-hkdf',
-          '--enable-cryptonly --disable-examples --disable-hmac',
-          '--enable-cryptonly --disable-examples --disable-rng',
-          '--enable-cryptonly --disable-examples --disable-rsa',
-          '--enable-cryptonly --disable-examples --disable-rsapss',
-          '--enable-cryptonly --disable-examples --disable-sha224',
-          '--enable-cryptonly --disable-examples --disable-sha3',
-          '--enable-cryptonly --disable-examples --disable-sha384',
-          '--enable-cryptonly --disable-examples --disable-sha512',
-          '--enable-cryptonly --disable-examples --disable-shake128',
-          '--enable-cryptonly --disable-examples --disable-shake256',
-          '--enable-cryptonly --disable-examples --disable-srtp-kdf',
-          '--enable-cryptonly --disable-examples --disable-x963kdf',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aes --disable-aesgcm',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aescbc',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aeseax',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesecb',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesccm',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aescfb',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesctr',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aescts',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesgcm',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesgcm-stream',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesofb',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesxts',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-cmac',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-dh',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ecc',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ed25519',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ed25519-stream',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ed448',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ed448-stream',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-hkdf',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-hmac',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-rng',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-rsa',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-rsapss',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-sha224',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-sha3',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-sha384',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-sha512',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-shake128',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-shake256',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-srtp-kdf',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-x963kdf',
         ]

CMakeLists.txt

@@ -427,6 +427,18 @@ if(WOLFSSL_DTLS_CID)
     list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_DTLS_CID")
 endif()
 
+# DTLS 1.3 ClientHello fragmenting
+add_option("WOLFSSL_DTLS_CH_FRAG"
+    "Enable wolfSSL DTLS 1.3 ClientHello fragmenting (default: disabled)"
+    "no" "yes;no")
+
+if(WOLFSSL_DTLS_CH_FRAG)
+    if(NOT WOLFSSL_DTLS13)
+        message(FATAL_ERROR "DTLS 1.3 Fragment ClientHello is supported only for DTLSv1.3")
+    endif()
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_DTLS_CH_FRAG")
+endif()
+
 # RNG
 add_option("WOLFSSL_RNG"
     "Enable compiling and using RNG (default: enabled)"
@@ -601,13 +613,58 @@ add_option(WOLFSSL_OQS
 # ML-KEM/Kyber
 add_option(WOLFSSL_MLKEM
     "Enable the wolfSSL PQ ML-KEM library (default: disabled)"
-    "no" "yes;no")
+    "yes" "yes;no")
+
+if (WOLFSSL_MLKEM)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_HAVE_MLKEM")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_WC_MLKEM")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHA3")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHAKE128")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHAKE256")
+
+    set_wolfssl_definitions("WOLFSSL_HAVE_MLKEM" RESULT)
+    set_wolfssl_definitions("WOLFSSL_WC_MLKEM"   RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHA3"       RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHAKE128"   RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESULT)
+endif()
+
+# When MLKEM and DTLS 1.3 are both enabled, DTLS ClientHello fragmenting is
+# required (PQC keys in ClientHello can exceed MTU), so enable it automatically.
+if(WOLFSSL_MLKEM AND WOLFSSL_DTLS13 AND NOT WOLFSSL_DTLS_CH_FRAG)
+    message(STATUS "MLKEM and DTLS 1.3 are enabled; enabling DTLS ClientHello fragmenting")
+    override_cache(WOLFSSL_DTLS_CH_FRAG "yes")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_DTLS_CH_FRAG")
+endif()
+
+# Disable ML-KEM as standalone TLS key exchange (non-hybrid); when enabled (default), standalone is disabled
+add_option(WOLFSSL_TLS_NO_MLKEM_STANDALONE
+    "Disable ML-KEM as standalone TLS key exchange (non-hybrid) (default: enabled, i.e. standalone disabled)"
+    "yes" "yes;no")
+
+if (WOLFSSL_TLS_NO_MLKEM_STANDALONE)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_TLS_NO_MLKEM_STANDALONE")
+endif()
 
 # Dilithium
 add_option(WOLFSSL_DILITHIUM
     "Enable the wolfSSL PQ Dilithium (ML-DSA) implementation (default: disabled)"
     "no" "yes;no")
 
+if (WOLFSSL_DILITHIUM)
+    list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_DILITHIUM")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_WC_DILITHIUM")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHA3")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHAKE128")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHAKE256")
+
+    set_wolfssl_definitions("HAVE_DILITHIUM"       RESULT)
+    set_wolfssl_definitions("WOLFSSL_WC_DILITHIUM" RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHA3"         RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHAKE128"     RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHAKE256"     RESULT)
+endif()
+
 # LMS
 add_option(WOLFSSL_LMS
     "Enable the PQ LMS Stateful Hash-based Signature Scheme (default: disabled)"
@@ -617,11 +674,31 @@ add_option(WOLFSSL_LMSSHA256192
     "Enable the LMS SHA_256_192 truncated variant (default: disabled)"
     "no" "yes;no")
 
+if (WOLFSSL_LMS)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_HAVE_LMS")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_WC_LMS")
+
+    set_wolfssl_definitions("WOLFSSL_HAVE_LMS" RESULT)
+    set_wolfssl_definitions("WOLFSSL_WC_LMS"   RESULT)
+
+    if (WOLFSSL_LMSSHA256192)
+        list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_LMS_SHA256_192")
+        list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_NO_LMS_SHA256_256")
+
+        set_wolfssl_definitions("WOLFSSL_LMS_SHA256_192"    RESULT)
+        set_wolfssl_definitions("WOLFSSL_NO_LMS_SHA256_256" RESULT)
+    endif()
+endif()
+
 # Experimental features
 add_option(WOLFSSL_EXPERIMENTAL
     "Enable experimental features (default: disabled)"
     "no" "yes;no")
 
+add_option(WOLFSSL_EXTRA_PQC_HYBRIDS
+    "Enable extra PQ/T hybrid combinations (default: disabled)"
+    "no" "yes;no")
+
 message(STATUS "Looking for WOLFSSL_EXPERIMENTAL")
 if (WOLFSSL_EXPERIMENTAL)
     message(STATUS "Looking for WOLFSSL_EXPERIMENTAL - found")
@@ -657,75 +734,14 @@ if (WOLFSSL_EXPERIMENTAL)
         message(STATUS "Looking for WOLFSSL_OQS - not found")
     endif()
 
-    # Checking for experimental feature: WOLFSSL_MLKEM
-    message(STATUS "Looking for WOLFSSL_MLKEM")
-    if (WOLFSSL_MLKEM)
-        set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 1)
-
-        message(STATUS "Automatically set related requirements for ML-KEM:")
-        add_definitions("-DWOLFSSL_HAVE_MLKEM")
-        add_definitions("-DWOLFSSL_WC_MLKEM")
-        add_definitions("-DWOLFSSL_SHA3")
-        add_definitions("-DWOLFSSL_SHAKE128")
-        add_definitions("-DWOLFSSL_SHAKE256")
-
-        set_wolfssl_definitions("WOLFSSL_HAVE_MLKEM" RESULT)
-        set_wolfssl_definitions("WOLFSSL_WC_MLKEM"   RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHA3"       RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE128"   RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESULT)
-        message(STATUS "Looking for WOLFSSL_MLKEM - found")
-    else()
-        message(STATUS "Looking for WOLFSSL_MLKEM - not found")
-    endif()
-
-    # Checking for experimental feature: WOLFSSL_LMS
-    message(STATUS "Looking for WOLFSSL_LMS")
-    if (WOLFSSL_LMS)
-        set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 2)
-
-        message(STATUS "Automatically set related requirements for LMS")
-        add_definitions("-DWOLFSSL_HAVE_LMS")
-        add_definitions("-DWOLFSSL_WC_LMS")
-        set_wolfssl_definitions("WOLFSSL_HAVE_LMS" RESULT)
-        set_wolfssl_definitions("WOLFSSL_WC_LMS"   RESULT)
-        message(STATUS "Looking for WOLFSSL_LMS - found")
-        # Checking for experimental feature: WOLFSSL_LMSSHA256192
-        if (WOLFSSL_LMSSHA256192)
-            message(STATUS "Automatically set related requirements for LMS SHA256-192")
-            add_definitions("-DWOLFSSL_LMS_SHA256_192")
-            add_definitions("-DWOLFSSL_NO_LMS_SHA256_256")
-            set_wolfssl_definitions("WOLFSSL_LMS_SHA256_192"    RESULT)
-            set_wolfssl_definitions("WOLFSSL_NO_LMS_SHA256_256" RESULT)
-            message(STATUS "Looking for WOLFSSL_LMSSHA256192 - found")
-        else()
-            message(STATUS "Looking for WOLFSSL_LMSSHA256192 - not found")
-        endif()
-    else()
-        message(STATUS "Looking for WOLFSSL_LMS - not found")
-    endif()
-
-    # Checking for experimental feature: Dilithium
-    message(STATUS "Looking for WOLFSSL_DILITHIUM")
-    if (WOLFSSL_DILITHIUM)
+    # Checking for experimental feature: extra PQ/T hybrid combinations
+    message(STATUS "Looking for WOLFSSL_EXTRA_PQC_HYBRIDS")
+    if (WOLFSSL_EXTRA_PQC_HYBRIDS)
         set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 1)
-
-        message(STATUS "Automatically set related requirements for Dilithium:")
-        add_definitions("-DHAVE_DILITHIUM")
-        add_definitions("-DWOLFSSL_WC_DILITHIUM")
-        add_definitions("-DWOLFSSL_SHA3")
-        add_definitions("-DWOLFSSL_SHAKE128")
-        add_definitions("-DWOLFSSL_SHAKE256")
-
-        message(STATUS "Automatically set related requirements for Dilithium:")
-        set_wolfssl_definitions("HAVE_DILITHIUM"       RESULT)
-        set_wolfssl_definitions("WOLFSSL_WC_DILITHIUM" RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHA3"         RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE128"     RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE256"     RESULT)
-        message(STATUS "Looking for WOLFSSL_DILITHIUM - found")
+        message(STATUS "Looking for WOLFSSL_EXTRA_PQC_HYBRIDS - found")
+        list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_EXTRA_PQC_HYBRIDS")
     else()
-        message(STATUS "Looking for WOLFSSL_DILITHIUM - not found")
+        message(STATUS "Looking for WOLFSSL_EXTRA_PQC_HYBRIDS - not found")
     endif()
 
     # Other experimental feature detection can be added here...
@@ -750,12 +766,6 @@ else()
     if (WOLFSSL_OQS)
         message(FATAL_ERROR "Error: WOLFSSL_OQS requires WOLFSSL_EXPERIMENTAL at this time.")
     endif()
-    if(WOLFSSL_MLKEM)
-        message(FATAL_ERROR "Error: WOLFSSL_MLKEM requires WOLFSSL_EXPERIMENTAL at this time.")
-    endif()
-    if(WOLFSSL_DILITHIUM)
-        message(FATAL_ERROR "Error: WOLFSSL_DILITHIUM requires WOLFSSL_EXPERIMENTAL at this time.")
-    endif()
 endif()
 
 # LMS

cmake/options.h.in

@@ -374,6 +374,8 @@ extern "C" {
 #cmakedefine WOLFSSL_HAVE_MLKEM
 #undef WOLFSSL_WC_MLKEM
 #cmakedefine WOLFSSL_WC_MLKEM
+#undef WOLFSSL_TLS_NO_MLKEM_STANDALONE
+#cmakedefine WOLFSSL_TLS_NO_MLKEM_STANDALONE
 #undef WOLFSSL_WC_DILITHIUM
 #cmakedefine WOLFSSL_WC_DILITHIUM
 #undef NO_WOLFSSL_STUB
@@ -400,6 +402,8 @@ extern "C" {
 #cmakedefine WOLFSSL_HAVE_XMSS
 #undef WOLFSSL_WC_XMSS
 #cmakedefine WOLFSSL_WC_XMSS
+#undef WOLFSSL_EXTRA_PQC_HYBRIDS
+#cmakedefine WOLFSSL_EXTRA_PQC_HYBRIDS
 
 #ifdef __cplusplus
 }

configure.ac

@@ -1614,7 +1614,7 @@ AC_ARG_WITH([liboqs],
 AC_ARG_ENABLE([mlkem],
     [AS_HELP_STRING([--enable-mlkem],[Enable MLKEM (default: disabled)])],
     [ ENABLED_MLKEM=$enableval ],
-    [ ENABLED_MLKEM=no ]
+    [ ENABLED_MLKEM=yes ]
     )
 # note, inherits default from "mlkem" clause above.
 AC_ARG_ENABLE([kyber],
@@ -1745,8 +1745,32 @@ then
     fi
 fi
 
+AC_ARG_ENABLE([tls-mlkem-standalone],
+    [AS_HELP_STRING([--enable-tls-mlkem-standalone],[Enable ML-KEM as standalone TLS key exchange (non-hybrid) (default: disabled)])],
+    [ ENABLED_MLKEM_STANDALONE=$enableval ],
+    [ ENABLED_MLKEM_STANDALONE=no ]
+    )
+
+if test "$ENABLED_MLKEM_STANDALONE" != "yes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS_NO_MLKEM_STANDALONE"
+fi
+
+# Extra PQ/T Hybrid combinations
+AC_ARG_ENABLE([extra-pqc-hybrids],
+    [AS_HELP_STRING([--enable-extra-pqc-hybrids],[Enable extra PQ/T hybrid combinations (default: disabled)])],
+    [ ENABLED_EXTRA_PQC_HYBRIDS=$enableval ],
+    [ ENABLED_EXTRA_PQC_HYBRIDS=no ]
+    )
+
+if test "$ENABLED_EXTRA_PQC_HYBRIDS" = "yes"
+then
+    AS_IF([ test "$ENABLED_EXPERIMENTAL" != "yes" ],[ AC_MSG_ERROR([extra-pqc-hybrids requires --enable-experimental.]) ])
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EXTRA_PQC_HYBRIDS"
+fi
+
 # Dilithium
-#  - SHA3, Shake128, Shake256 and AES-CTR
+#  - SHA3, Shake128 and Shake256
 AC_ARG_ENABLE([mldsa],
     [AS_HELP_STRING([--enable-mldsa],[Enable MLDSA (default: disabled)])],
     [ ENABLED_DILITHIUM=$enableval ],
@@ -5594,6 +5618,15 @@ then
   AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_CH_FRAG"
 fi
 
+# When MLKEM and DTLS 1.3 are both enabled, DTLS ClientHello fragmenting is
+# required (PQC keys in ClientHello can exceed MTU), so enable it automatically.
+if test "x$ENABLED_MLKEM" != "xno" && test "x$ENABLED_DTLS13" = "xyes" && test "x$ENABLED_DTLS_CH_FRAG" != "xyes"
+then
+  AC_MSG_NOTICE([MLKEM and DTLS 1.3 are enabled; enabling DTLS ClientHello fragmenting])
+  ENABLED_DTLS_CH_FRAG=yes
+  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_CH_FRAG"
+fi
+
 # CODING
 AC_ARG_ENABLE([coding],
     [AS_HELP_STRING([--enable-coding],[Enable Coding base 16/64 (default: enabled)])],