wolfSSL · Frauschi · Feb 2, 2026
diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml
@@ -77,9 +77,9 @@ jobs:
             -DWOLFSSL_TICKET_NONCE_MALLOC:BOOL=yes -DWOLFSSL_TLS13:BOOL=yes -DWOLFSSL_TLSV12:BOOL=yes \
             -DWOLFSSL_TLSX:BOOL=yes -DWOLFSSL_TPM:BOOL=yes -DWOLFSSL_CLU:BOOL=yes -DWOLFSSL_USER_SETTINGS:BOOL=no \
             -DWOLFSSL_USER_SETTINGS_ASM:BOOL=no -DWOLFSSL_WOLFSSH:BOOL=ON -DWOLFSSL_X86_64_BUILD_ASM:BOOL=yes \
-            -DWOLFSSL_MLKEM=1 -DWOLFSSL_LMS=1 -DWOLFSSL_LMSSHA256192=1 -DWOLFSSL_EXPERIMENTAL=1 \
-            -DWOLFSSL_X963KDF:BOOL=yes -DWOLFSSL_DILITHIUM:BOOL=yes -DWOLFSSL_PKCS11:BOOL=yes \
-            -DWOLFSSL_ECCSI:BOOL=yes -DWOLFSSL_SAKKE:BOOL=yes -DWOLFSSL_SIPHASH:BOOL=yes \
+            -DWOLFSSL_MLKEM:BOOL=yes -DWOLFSSL_EXTRA_PQC_HYBRIDS:BOOL=yes -DWOLFSSL_LMS:BOOL=yes \
+            -DWOLFSSL_LMSSHA256192:BOOL=yes -DWOLFSSL_X963KDF:BOOL=yes -DWOLFSSL_DILITHIUM:BOOL=yes \
+            -DWOLFSSL_PKCS11:BOOL=yes -DWOLFSSL_ECCSI:BOOL=yes -DWOLFSSL_SAKKE:BOOL=yes -DWOLFSSL_SIPHASH:BOOL=yes \
             -DCMAKE_C_FLAGS="-DWOLFSSL_DTLS_CH_FRAG" \
             ..
         cmake --build .

diff --git a/.github/workflows/rust-wrapper.yml b/.github/workflows/rust-wrapper.yml
@@ -39,36 +39,36 @@ jobs:
           '',
           '--enable-all',
           '--enable-cryptonly --disable-examples',
-          '--enable-cryptonly --disable-examples --disable-aes --disable-aesgcm',
-          '--enable-cryptonly --disable-examples --disable-aescbc',
-          '--enable-cryptonly --disable-examples --disable-aeseax',
-          '--enable-cryptonly --disable-examples --disable-aesecb',
-          '--enable-cryptonly --disable-examples --disable-aesccm',
-          '--enable-cryptonly --disable-examples --disable-aescfb',
-          '--enable-cryptonly --disable-examples --disable-aesctr',
-          '--enable-cryptonly --disable-examples --disable-aescts',
-          '--enable-cryptonly --disable-examples --disable-aesgcm',
-          '--enable-cryptonly --disable-examples --disable-aesgcm-stream',
-          '--enable-cryptonly --disable-examples --disable-aesofb',
-          '--enable-cryptonly --disable-examples --disable-aesxts',
-          '--enable-cryptonly --disable-examples --disable-cmac',
-          '--enable-cryptonly --disable-examples --disable-dh',
-          '--enable-cryptonly --disable-examples --disable-ecc',
-          '--enable-cryptonly --disable-examples --disable-ed25519',
-          '--enable-cryptonly --disable-examples --disable-ed25519-stream',
-          '--enable-cryptonly --disable-examples --disable-ed448',
-          '--enable-cryptonly --disable-examples --disable-ed448-stream',
-          '--enable-cryptonly --disable-examples --disable-hkdf',
-          '--enable-cryptonly --disable-examples --disable-hmac',
-          '--enable-cryptonly --disable-examples --disable-rng',
-          '--enable-cryptonly --disable-examples --disable-rsa',
-          '--enable-cryptonly --disable-examples --disable-rsapss',
-          '--enable-cryptonly --disable-examples --disable-sha224',
-          '--enable-cryptonly --disable-examples --disable-sha3',
-          '--enable-cryptonly --disable-examples --disable-sha384',
-          '--enable-cryptonly --disable-examples --disable-sha512',
-          '--enable-cryptonly --disable-examples --disable-shake128',
-          '--enable-cryptonly --disable-examples --disable-shake256',
-          '--enable-cryptonly --disable-examples --disable-srtp-kdf',
-          '--enable-cryptonly --disable-examples --disable-x963kdf',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aes --disable-aesgcm',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aescbc',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aeseax',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesecb',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesccm',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aescfb',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesctr',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aescts',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesgcm',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesgcm-stream',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesofb',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesxts',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-cmac',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-dh',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ecc',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ed25519',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ed25519-stream',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ed448',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ed448-stream',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-hkdf',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-hmac',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-rng',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-rsa',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-rsapss',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-sha224',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-sha3',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-sha384',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-sha512',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-shake128',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-shake256',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-srtp-kdf',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-x963kdf',
         ]
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -427,6 +427,18 @@ if(WOLFSSL_DTLS_CID)
     list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_DTLS_CID")
 endif()
 
+# DTLS 1.3 ClientHello fragmenting
+add_option("WOLFSSL_DTLS_CH_FRAG"
+    "Enable wolfSSL DTLS 1.3 ClientHello fragmenting (default: disabled)"
+    "no" "yes;no")
+
+if(WOLFSSL_DTLS_CH_FRAG)
+    if(NOT WOLFSSL_DTLS13)
+        message(FATAL_ERROR "DTLS 1.3 Fragment ClientHello is supported only for DTLSv1.3")
+    endif()
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_DTLS_CH_FRAG")
+endif()
+
 # RNG
 add_option("WOLFSSL_RNG"
     "Enable compiling and using RNG (default: enabled)"
@@ -601,13 +613,46 @@ add_option(WOLFSSL_OQS
 # ML-KEM/Kyber
 add_option(WOLFSSL_MLKEM
     "Enable the wolfSSL PQ ML-KEM library (default: disabled)"
-    "no" "yes;no")
+    "yes" "yes;no")
+
+if (WOLFSSL_MLKEM)
+    set_wolfssl_definitions("WOLFSSL_HAVE_MLKEM" RESULT)
+    set_wolfssl_definitions("WOLFSSL_WC_MLKEM"   RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHA3"       RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHAKE128"   RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESULT)
+endif()
+
+# When MLKEM and DTLS 1.3 are both enabled, DTLS ClientHello fragmenting is
+# required (PQC keys in ClientHello can exceed MTU), so enable it automatically.
+if(WOLFSSL_MLKEM AND WOLFSSL_DTLS13 AND NOT WOLFSSL_DTLS_CH_FRAG)
+    message(STATUS "MLKEM and DTLS 1.3 are enabled; enabling DTLS ClientHello fragmenting")
+    override_cache(WOLFSSL_DTLS_CH_FRAG "yes")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_DTLS_CH_FRAG")
+endif()
+
+# Disable ML-KEM as standalone TLS key exchange (non-hybrid); when enabled (default), standalone is disabled
+add_option(WOLFSSL_TLS_NO_MLKEM_STANDALONE
+    "Disable ML-KEM as standalone TLS key exchange (non-hybrid) (default: enabled, i.e. standalone disabled)"
+    "yes" "yes;no")
+
+if (WOLFSSL_TLS_NO_MLKEM_STANDALONE)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_TLS_NO_MLKEM_STANDALONE")
+endif()
 
 # Dilithium
 add_option(WOLFSSL_DILITHIUM
     "Enable the wolfSSL PQ Dilithium (ML-DSA) implementation (default: disabled)"
     "no" "yes;no")
 
+if (WOLFSSL_DILITHIUM)
+    set_wolfssl_definitions("HAVE_DILITHIUM"       RESULT)
+    set_wolfssl_definitions("WOLFSSL_WC_DILITHIUM" RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHA3"         RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHAKE128"     RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHAKE256"     RESULT)
+endif()
+
 # LMS
 add_option(WOLFSSL_LMS
     "Enable the PQ LMS Stateful Hash-based Signature Scheme (default: disabled)"
@@ -617,11 +662,25 @@ add_option(WOLFSSL_LMSSHA256192
     "Enable the LMS SHA_256_192 truncated variant (default: disabled)"
     "no" "yes;no")
 
+if (WOLFSSL_LMS)
+    set_wolfssl_definitions("WOLFSSL_HAVE_LMS" RESULT)
+    set_wolfssl_definitions("WOLFSSL_WC_LMS"   RESULT)
+
+    if (WOLFSSL_LMSSHA256192)
+        set_wolfssl_definitions("WOLFSSL_LMS_SHA256_192"    RESULT)
+        set_wolfssl_definitions("WOLFSSL_NO_LMS_SHA256_256" RESULT)
+    endif()
+endif()
+
 # Experimental features
 add_option(WOLFSSL_EXPERIMENTAL
     "Enable experimental features (default: disabled)"
     "no" "yes;no")
 
+add_option(WOLFSSL_EXTRA_PQC_HYBRIDS
+    "Enable extra PQ/T hybrid combinations (default: disabled)"
+    "no" "yes;no")
+
 message(STATUS "Looking for WOLFSSL_EXPERIMENTAL")
 if (WOLFSSL_EXPERIMENTAL)
     message(STATUS "Looking for WOLFSSL_EXPERIMENTAL - found")
@@ -657,75 +716,14 @@ if (WOLFSSL_EXPERIMENTAL)
         message(STATUS "Looking for WOLFSSL_OQS - not found")
     endif()
 
-    # Checking for experimental feature: WOLFSSL_MLKEM
-    message(STATUS "Looking for WOLFSSL_MLKEM")
-    if (WOLFSSL_MLKEM)
+    # Checking for experimental feature: extra PQ/T hybrid combinations
+    message(STATUS "Looking for WOLFSSL_EXTRA_PQC_HYBRIDS")
+    if (WOLFSSL_EXTRA_PQC_HYBRIDS)
         set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 1)
-
-        message(STATUS "Automatically set related requirements for ML-KEM:")
-        add_definitions("-DWOLFSSL_HAVE_MLKEM")
-        add_definitions("-DWOLFSSL_WC_MLKEM")
-        add_definitions("-DWOLFSSL_SHA3")
-        add_definitions("-DWOLFSSL_SHAKE128")
-        add_definitions("-DWOLFSSL_SHAKE256")
-
-        set_wolfssl_definitions("WOLFSSL_HAVE_MLKEM" RESULT)
-        set_wolfssl_definitions("WOLFSSL_WC_MLKEM"   RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHA3"       RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE128"   RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESULT)
-        message(STATUS "Looking for WOLFSSL_MLKEM - found")
+        message(STATUS "Looking for WOLFSSL_EXTRA_PQC_HYBRIDS - found")
+        list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_EXTRA_PQC_HYBRIDS")
     else()
-        message(STATUS "Looking for WOLFSSL_MLKEM - not found")
-    endif()
-
-    # Checking for experimental feature: WOLFSSL_LMS
-    message(STATUS "Looking for WOLFSSL_LMS")
-    if (WOLFSSL_LMS)
-        set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 2)
-
-        message(STATUS "Automatically set related requirements for LMS")
-        add_definitions("-DWOLFSSL_HAVE_LMS")
-        add_definitions("-DWOLFSSL_WC_LMS")
-        set_wolfssl_definitions("WOLFSSL_HAVE_LMS" RESULT)
-        set_wolfssl_definitions("WOLFSSL_WC_LMS"   RESULT)
-        message(STATUS "Looking for WOLFSSL_LMS - found")
-        # Checking for experimental feature: WOLFSSL_LMSSHA256192
-        if (WOLFSSL_LMSSHA256192)
-            message(STATUS "Automatically set related requirements for LMS SHA256-192")
-            add_definitions("-DWOLFSSL_LMS_SHA256_192")
-            add_definitions("-DWOLFSSL_NO_LMS_SHA256_256")
-            set_wolfssl_definitions("WOLFSSL_LMS_SHA256_192"    RESULT)
-            set_wolfssl_definitions("WOLFSSL_NO_LMS_SHA256_256" RESULT)
-            message(STATUS "Looking for WOLFSSL_LMSSHA256192 - found")
-        else()
-            message(STATUS "Looking for WOLFSSL_LMSSHA256192 - not found")
-        endif()
-    else()
-        message(STATUS "Looking for WOLFSSL_LMS - not found")
-    endif()
-
-    # Checking for experimental feature: Dilithium
-    message(STATUS "Looking for WOLFSSL_DILITHIUM")
-    if (WOLFSSL_DILITHIUM)
-        set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 1)
-
-        message(STATUS "Automatically set related requirements for Dilithium:")
-        add_definitions("-DHAVE_DILITHIUM")
-        add_definitions("-DWOLFSSL_WC_DILITHIUM")
-        add_definitions("-DWOLFSSL_SHA3")
-        add_definitions("-DWOLFSSL_SHAKE128")
-        add_definitions("-DWOLFSSL_SHAKE256")
-
-        message(STATUS "Automatically set related requirements for Dilithium:")
-        set_wolfssl_definitions("HAVE_DILITHIUM"       RESULT)
-        set_wolfssl_definitions("WOLFSSL_WC_DILITHIUM" RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHA3"         RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE128"     RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE256"     RESULT)
-        message(STATUS "Looking for WOLFSSL_DILITHIUM - found")
-    else()
-        message(STATUS "Looking for WOLFSSL_DILITHIUM - not found")
+        message(STATUS "Looking for WOLFSSL_EXTRA_PQC_HYBRIDS - not found")
     endif()
 
     # Other experimental feature detection can be added here...
@@ -750,12 +748,6 @@ else()
     if (WOLFSSL_OQS)
         message(FATAL_ERROR "Error: WOLFSSL_OQS requires WOLFSSL_EXPERIMENTAL at this time.")
     endif()
-    if(WOLFSSL_MLKEM)
-        message(FATAL_ERROR "Error: WOLFSSL_MLKEM requires WOLFSSL_EXPERIMENTAL at this time.")
-    endif()
-    if(WOLFSSL_DILITHIUM)
-        message(FATAL_ERROR "Error: WOLFSSL_DILITHIUM requires WOLFSSL_EXPERIMENTAL at this time.")
-    endif()
 endif()
 
 # LMS

diff --git a/cmake/options.h.in b/cmake/options.h.in
@@ -374,6 +374,8 @@ extern "C" {
 #cmakedefine WOLFSSL_HAVE_MLKEM
 #undef WOLFSSL_WC_MLKEM
 #cmakedefine WOLFSSL_WC_MLKEM
+#undef WOLFSSL_TLS_NO_MLKEM_STANDALONE
+#cmakedefine WOLFSSL_TLS_NO_MLKEM_STANDALONE
 #undef WOLFSSL_WC_DILITHIUM
 #cmakedefine WOLFSSL_WC_DILITHIUM
 #undef NO_WOLFSSL_STUB
@@ -400,6 +402,8 @@ extern "C" {
 #cmakedefine WOLFSSL_HAVE_XMSS
 #undef WOLFSSL_WC_XMSS
 #cmakedefine WOLFSSL_WC_XMSS
+#undef WOLFSSL_EXTRA_PQC_HYBRIDS
+#cmakedefine WOLFSSL_EXTRA_PQC_HYBRIDS
 
 #ifdef __cplusplus
 }

diff --git a/configure.ac b/configure.ac
@@ -1614,7 +1614,7 @@ AC_ARG_WITH([liboqs],
 AC_ARG_ENABLE([mlkem],
     [AS_HELP_STRING([--enable-mlkem],[Enable MLKEM (default: disabled)])],
     [ ENABLED_MLKEM=$enableval ],
-    [ ENABLED_MLKEM=no ]
+    [ ENABLED_MLKEM=yes ]
     )
 # note, inherits default from "mlkem" clause above.
 AC_ARG_ENABLE([kyber],
@@ -1745,8 +1745,32 @@ then
     fi
 fi
 
+AC_ARG_ENABLE([tls-mlkem-standalone],
+    [AS_HELP_STRING([--enable-tls-mlkem-standalone],[Enable ML-KEM as standalone TLS key exchange (non-hybrid) (default: disabled)])],
+    [ ENABLED_MLKEM_STANDALONE=$enableval ],
+    [ ENABLED_MLKEM_STANDALONE=no ]
+    )
+
+if test "$ENABLED_MLKEM_STANDALONE" != "yes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS_NO_MLKEM_STANDALONE"
+fi
+
+# Extra PQ/T Hybrid combinations
+AC_ARG_ENABLE([extra-pqc-hybrids],
+    [AS_HELP_STRING([--enable-extra-pqc-hybrids],[Enable extra PQ/T hybrid combinations (default: disabled)])],
+    [ ENABLED_EXTRA_PQC_HYBRIDS=$enableval ],
+    [ ENABLED_EXTRA_PQC_HYBRIDS=no ]
+    )
+
+if test "$ENABLED_EXTRA_PQC_HYBRIDS" = "yes"
+then
+    AS_IF([ test "$ENABLED_EXPERIMENTAL" != "yes" ],[ AC_MSG_ERROR([extra-pqc-hybrids requires --enable-experimental.]) ])
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EXTRA_PQC_HYBRIDS"
+fi
+
 # Dilithium
-#  - SHA3, Shake128, Shake256 and AES-CTR
+#  - SHA3, Shake128 and Shake256
 AC_ARG_ENABLE([mldsa],
     [AS_HELP_STRING([--enable-mldsa],[Enable MLDSA (default: disabled)])],
     [ ENABLED_DILITHIUM=$enableval ],
@@ -5594,6 +5618,15 @@ then
   AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_CH_FRAG"
 fi
 
+# When MLKEM and DTLS 1.3 are both enabled, DTLS ClientHello fragmenting is
+# required (PQC keys in ClientHello can exceed MTU), so enable it automatically.
+if test "x$ENABLED_MLKEM" != "xno" && test "x$ENABLED_DTLS13" = "xyes" && test "x$ENABLED_DTLS_CH_FRAG" != "xyes"
+then
+  AC_MSG_NOTICE([MLKEM and DTLS 1.3 are enabled; enabling DTLS ClientHello fragmenting])
+  ENABLED_DTLS_CH_FRAG=yes
+  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_CH_FRAG"
+fi
+
 # CODING
 AC_ARG_ENABLE([coding],
     [AS_HELP_STRING([--enable-coding],[Enable Coding base 16/64 (default: enabled)])],

diff --git a/examples/benchmark/tls_bench.c b/examples/benchmark/tls_bench.c
@@ -296,17 +296,21 @@ static struct group_info groups[] = {
     { WOLFSSL_FFDHE_8192, "FFDHE_8192" },
 #ifdef HAVE_PQC
 #ifndef WOLFSSL_NO_ML_KEM
+    #ifndef WOLFSSL_TLS_NO_MLKEM_STANDALONE
     { WOLFSSL_ML_KEM_512, "ML_KEM_512" },
     { WOLFSSL_ML_KEM_768, "ML_KEM_768" },
     { WOLFSSL_ML_KEM_1024, "ML_KEM_1024" },
+    #endif /* !WOLFSSL_TLS_NO_MLKEM_STANDALONE */
+    { WOLFSSL_SECP256R1MLKEM768,   "SecP256r1MLKEM768"   },
+    { WOLFSSL_SECP384R1MLKEM1024,  "SecP384r1MLKEM1024"  },
+    { WOLFSSL_X25519MLKEM768, "X25519MLKEM768" },
+    #ifdef WOLFSSL_EXTRA_PQC_HYBRIDS
     { WOLFSSL_SECP256R1MLKEM512,   "SecP256r1MLKEM512"   },
     { WOLFSSL_SECP384R1MLKEM768,   "SecP384r1MLKEM768"   },
-    { WOLFSSL_SECP256R1MLKEM768,   "SecP256r1MLKEM768"   },
     { WOLFSSL_SECP521R1MLKEM1024,  "SecP521r1MLKEM1024"  },
-    { WOLFSSL_SECP384R1MLKEM1024,  "SecP384r1MLKEM1024"  },
     { WOLFSSL_X25519MLKEM512, "X25519MLKEM512" },
     { WOLFSSL_X448MLKEM768,   "X448MLKEM768"   },
-    { WOLFSSL_X25519MLKEM768, "X25519MLKEM768" },
+    #endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */
 #endif
 #ifdef WOLFSSL_MLKEM_KYBER
     { WOLFSSL_KYBER_LEVEL1, "KYBER_LEVEL1" },