Enable and use ML-KEM by default

* Enable ML-KEM by default in build systems (autoconf and CMake)
* Only allow three to-be-standardized hybrid PQ/T combinations by
  default
* Use X25519MLKEM768 as the default KeyShare in the ClientHello (if user
  does not override that). When Curve25519 is disabled, then either
  WOLFSSL_SECP384R1MLKEM1024 or WOLFSSL_SECP256R1MLKEM768 is used as
  default depending on the ECC configuration
* Disable standalone ML-KEM in supported groups by default (enable with
  --enable-tls-mlkem-standalone)
* Disable extra OQS-based hybrid PQ/T curves by default and gate
  behind --enable-experimental (enable with --enable-extra-pqc-hybrids)
* Reorder the SupportedGroups extension to reflect the preferences
* Reorder the preferredGroup array to also reflect the same preferences
* Add async support for ML-KEM hybrids

Author: Frauschi

.github/workflows/async.yml

@@ -18,6 +18,10 @@ jobs:
       matrix:
         config: [
           # Add new configs here
+          '--enable-asynccrypt --enable-all --enable-dtls13 --disable-mlkem CFLAGS="-pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFCRYPT_TEST_LINT"',
+          '--enable-asynccrypt-sw --enable-ocspstapling --enable-ocspstapling2 --disable-mlkem CFLAGS="-pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
+          '--enable-asynccrypt --enable-all --enable-dtls13 --disable-pqc-hybrids --enable-tls-mlkem-standalone CFLAGS="-pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFCRYPT_TEST_LINT"',
+          '--enable-asynccrypt-sw --enable-ocspstapling --enable-ocspstapling2 --disable-pqc-hybrids --enable-tls-mlkem-standalone CFLAGS="-pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
           '--enable-asynccrypt --enable-all --enable-dtls13 CFLAGS="-pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFCRYPT_TEST_LINT"',
           '--enable-asynccrypt-sw --enable-ocspstapling --enable-ocspstapling2 CFLAGS="-pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
           '--enable-ocsp CFLAGS="-DTEST_NONBLOCK_CERTS -pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',

.github/workflows/cmake.yml

@@ -73,6 +73,7 @@ jobs:
             -DWOLFSSL_X963KDF:BOOL=yes -DWOLFSSL_DILITHIUM:BOOL=yes -DWOLFSSL_PKCS11:BOOL=yes \
             -DWOLFSSL_ECCSI:BOOL=yes -DWOLFSSL_SAKKE:BOOL=yes -DWOLFSSL_SIPHASH:BOOL=yes \
             -DWOLFSSL_WC_RSA_DIRECT:BOOL=yes -DWOLFSSL_PUBLIC_MP:BOOL=yes \
+            -DWOLFSSL_EXTRA_PQC_HYBRIDS:BOOL=yes -DWOLFSSL_TLS_NO_MLKEM_STANDALONE:BOOL=no \
             ..
         cmake --build .
         ctest -j $(nproc)

.github/workflows/os-check.yml

@@ -38,6 +38,12 @@ jobs:
           '--enable-experimental --enable-kyber --enable-dtls --enable-dtls13
              --enable-dtls-frag-ch',
           '--enable-all --enable-dtls13 --enable-dtls-frag-ch',
+          '--enable-all --enable-dtls13 --enable-dtls-frag-ch --disable-mlkem',
+          '--enable-all --enable-dtls13 --enable-dtls-frag-ch
+           --enable-tls-mlkem-standalone',
+          '--enable-all --enable-dtls13 --enable-dtls-frag-ch
+           --enable-tls-mlkem-standalone --enable-experimental
+           --enable-extra-pqc-hybrids',
           '--enable-dtls --enable-dtls13 --enable-dtls-frag-ch
            --enable-dtls-mtu',
           '--enable-dtls --enable-dtlscid --enable-dtls13 --enable-secure-renegotiation

.github/workflows/pq-all.yml

@@ -27,9 +27,13 @@ jobs:
           '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-slhdsa --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ"',
           '--disable-intelasm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem,small --enable-lms=yes,small --enable-xmss=yes,small --enable-slhdsa=yes,small --enable-dilithium=yes,small --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -DWOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM -DWOLFSSL_MLKEM_NO_LARGE_CODE -DWOLFSSL_DILITHIUM_SIGN_SMALL_MEM -DWOLFSSL_DILITHIUM_VERIFY_SMALL_MEM -DWOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM -DWOLFSSL_DILITHIUM_NO_LARGE_CODE"',
           '--disable-intelasm --enable-smallstack --enable-smallstackcache --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem,small --enable-lms=yes,small --enable-xmss=yes,small --enable-slhdsa=yes,small --enable-dilithium=yes,small --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -DWOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM -DWOLFSSL_MLKEM_NO_LARGE_CODE -DWOLFSSL_DILITHIUM_SIGN_SMALL_MEM -DWOLFSSL_DILITHIUM_VERIFY_SMALL_MEM -DWOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM -DWOLFSSL_DILITHIUM_NO_LARGE_CODE"',
-          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-mlkem=make,enc,dec,512 --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-mlkem=make,enc,dec,512 --enable-tls-mlkem-standalone --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
           '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-mlkem=make,enc,dec,768 --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-mlkem=make,enc,dec,768 --enable-tls-mlkem-standalone --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-mlkem=make,enc,dec,768 --enable-tls-mlkem-standalone --disable-pqc-hybrids --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
           '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-mlkem=make,enc,dec,1024 --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-mlkem=make,enc,dec,1024 --enable-tls-mlkem-standalone --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-mlkem=make,enc,dec,1024 --enable-tls-mlkem-standalone --disable-pqc-hybrids --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'

.github/workflows/psk.yml

@@ -18,10 +18,10 @@ jobs:
       matrix:
         config: [
           # Add new configs here
-          '--enable-psk C_EXTRA_FLAGS="-DWOLFSSL_STATIC_PSK -DWOLFSSL_OLDTLS_SHA2_CIPHERSUITES"',
-          '--enable-psk C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --disable-rsa --disable-ecc --disable-dh',
-          '--disable-oldtls --disable-tls13 --enable-psk -disable-rsa --disable-dh -disable-ecc --disable-asn C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --enable-lowresource --enable-singlethreaded --disable-asm --disable-errorstrings --disable-pkcs12 --disable-sha3 --disable-sha224 --disable-sha384 --disable-sha512 --disable-sha --disable-md5 -disable-aescbc --disable-chacha --disable-poly1305 --disable-coding --disable-sp-math-all',
-          '--disable-oldtls --disable-tlsv12 --enable-tls13 --enable-psk -disable-rsa --disable-dh -disable-ecc --disable-asn C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --enable-lowresource --enable-singlethreaded --disable-asm --disable-errorstrings --disable-pkcs12 --disable-sha3 --disable-sha224 --disable-sha384 --disable-sha512 --disable-sha --disable-md5 -disable-aescbc --disable-chacha --disable-poly1305 --disable-coding --disable-sp-math-all'
+          '--enable-psk  --disable-mlkem C_EXTRA_FLAGS="-DWOLFSSL_STATIC_PSK -DWOLFSSL_OLDTLS_SHA2_CIPHERSUITES"',
+          '--enable-psk  --disable-mlkem C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --disable-rsa --disable-ecc --disable-dh',
+          '--disable-oldtls --disable-tls13 --enable-psk -disable-rsa --disable-dh -disable-ecc --disable-asn C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --enable-lowresource --enable-singlethreaded --disable-asm --disable-errorstrings --disable-pkcs12 --disable-sha3 --disable-sha224 --disable-sha384 --disable-sha512 --disable-sha --disable-md5 -disable-aescbc --disable-chacha --disable-poly1305 --disable-coding --disable-sp-math-all --disable-mlkem',
+          '--disable-oldtls --disable-tlsv12 --enable-tls13 --enable-psk -disable-rsa --disable-dh -disable-ecc --disable-asn C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --enable-lowresource --enable-singlethreaded --disable-asm --disable-errorstrings --disable-pkcs12 --disable-sha3 --disable-sha224 --disable-sha384 --disable-sha512 --disable-sha --disable-md5 -disable-aescbc --disable-chacha --disable-poly1305 --disable-coding --disable-sp-math-all --disable-mlkem'
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'

.github/workflows/rust-wrapper.yml

@@ -41,36 +41,36 @@ jobs:
           '--enable-all --enable-dilithium',
           '--enable-all --enable-mlkem',
           '--enable-cryptonly --disable-examples',
-          '--enable-cryptonly --disable-examples --disable-aes --disable-aesgcm',
-          '--enable-cryptonly --disable-examples --disable-aescbc',
-          '--enable-cryptonly --disable-examples --disable-aeseax',
-          '--enable-cryptonly --disable-examples --disable-aesecb',
-          '--enable-cryptonly --disable-examples --disable-aesccm',
-          '--enable-cryptonly --disable-examples --disable-aescfb',
-          '--enable-cryptonly --disable-examples --disable-aesctr',
-          '--enable-cryptonly --disable-examples --disable-aescts',
-          '--enable-cryptonly --disable-examples --disable-aesgcm',
-          '--enable-cryptonly --disable-examples --disable-aesgcm-stream',
-          '--enable-cryptonly --disable-examples --disable-aesofb',
-          '--enable-cryptonly --disable-examples --disable-aesxts',
-          '--enable-cryptonly --disable-examples --disable-cmac',
-          '--enable-cryptonly --disable-examples --disable-dh',
-          '--enable-cryptonly --disable-examples --disable-ecc',
-          '--enable-cryptonly --disable-examples --disable-ed25519',
-          '--enable-cryptonly --disable-examples --disable-ed25519-stream',
-          '--enable-cryptonly --disable-examples --disable-ed448',
-          '--enable-cryptonly --disable-examples --disable-ed448-stream',
-          '--enable-cryptonly --disable-examples --disable-hkdf',
-          '--enable-cryptonly --disable-examples --disable-hmac',
-          '--enable-cryptonly --disable-examples --disable-rng',
-          '--enable-cryptonly --disable-examples --disable-rsa',
-          '--enable-cryptonly --disable-examples --disable-rsapss',
-          '--enable-cryptonly --disable-examples --disable-sha224',
-          '--enable-cryptonly --disable-examples --disable-sha3',
-          '--enable-cryptonly --disable-examples --disable-sha384',
-          '--enable-cryptonly --disable-examples --disable-sha512',
-          '--enable-cryptonly --disable-examples --disable-shake128',
-          '--enable-cryptonly --disable-examples --disable-shake256',
-          '--enable-cryptonly --disable-examples --disable-srtp-kdf',
-          '--enable-cryptonly --disable-examples --disable-x963kdf',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aes --disable-aesgcm',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aescbc',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aeseax',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesecb',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesccm',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aescfb',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesctr',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aescts',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesgcm',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesgcm-stream',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesofb',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesxts',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-cmac',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-dh',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ecc',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ed25519',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ed25519-stream',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ed448',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ed448-stream',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-hkdf',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-hmac',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-rng',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-rsa',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-rsapss',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-sha224',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-sha3',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-sha384',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-sha512',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-shake128',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-shake256',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-srtp-kdf',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-x963kdf',
         ]

.github/workflows/zephyr.yml

@@ -28,7 +28,7 @@ jobs:
     if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
-    timeout-minutes: 25
+    timeout-minutes: 45
     steps:
       - name: Install dependencies
         run: |

.wolfssl_known_macro_extras

@@ -174,6 +174,7 @@ CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSH_ECHOSERVER
 CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSH_TEMPLATE
 CONFIG_WOLFSSL_HKDF
 CONFIG_WOLFSSL_MAX_FRAGMENT_LEN
+CONFIG_WOLFSSL_MLKEM
 CONFIG_WOLFSSL_NO_ASN_STRICT
 CONFIG_WOLFSSL_PSK
 CONFIG_WOLFSSL_RSA_PSS

CMakeLists.txt

@@ -610,7 +610,7 @@ add_option(WOLFSSL_OQS
 # ML-KEM/Kyber
 add_option(WOLFSSL_MLKEM
     "Enable the wolfSSL PQ ML-KEM library (default: disabled)"
-    "no" "yes;no")
+    "yes" "yes;no")
 
 if (WOLFSSL_MLKEM)
     list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_HAVE_MLKEM")
@@ -626,6 +626,32 @@ if (WOLFSSL_MLKEM)
     set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESULT)
 endif()
 
+# When MLKEM and DTLS 1.3 are both enabled, DTLS ClientHello fragmenting is
+# required (PQC keys in ClientHello can exceed MTU), so enable it automatically.
+if(WOLFSSL_MLKEM AND WOLFSSL_DTLS13 AND NOT WOLFSSL_DTLS_CH_FRAG)
+    message(STATUS "MLKEM and DTLS 1.3 are enabled; enabling DTLS ClientHello fragmenting")
+    override_cache(WOLFSSL_DTLS_CH_FRAG "yes")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_DTLS_CH_FRAG")
+endif()
+
+# Disable ML-KEM as standalone TLS key exchange (non-hybrid); when enabled (default), standalone is disabled
+add_option(WOLFSSL_TLS_NO_MLKEM_STANDALONE
+    "Disable ML-KEM as standalone TLS key exchange (non-hybrid) (default: enabled, i.e. standalone disabled)"
+    "yes" "yes;no")
+
+if (WOLFSSL_TLS_NO_MLKEM_STANDALONE)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_TLS_NO_MLKEM_STANDALONE")
+endif()
+
+# PQ/T hybrid combinations
+add_option(WOLFSSL_PQC_HYBRIDS
+    "Enable PQ/T hybrid combinations (default: enabled)"
+    "yes" "yes;no")
+
+if (WOLFSSL_PQC_HYBRIDS)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_PQC_HYBRIDS")
+endif()
+
 # Dilithium
 add_option(WOLFSSL_DILITHIUM
     "Enable the wolfSSL PQ Dilithium (ML-DSA) implementation (default: disabled)"
@@ -675,6 +701,10 @@ add_option(WOLFSSL_EXPERIMENTAL
     "Enable experimental features (default: disabled)"
     "no" "yes;no")
 
+add_option(WOLFSSL_EXTRA_PQC_HYBRIDS
+    "Enable extra PQ/T hybrid combinations (default: disabled)"
+    "no" "yes;no")
+
 message(STATUS "Looking for WOLFSSL_EXPERIMENTAL")
 if (WOLFSSL_EXPERIMENTAL)
     message(STATUS "Looking for WOLFSSL_EXPERIMENTAL - found")
@@ -710,6 +740,16 @@ if (WOLFSSL_EXPERIMENTAL)
         message(STATUS "Looking for WOLFSSL_OQS - not found")
     endif()
 
+    # Checking for experimental feature: extra PQ/T hybrid combinations
+    message(STATUS "Looking for WOLFSSL_EXTRA_PQC_HYBRIDS")
+    if (WOLFSSL_EXTRA_PQC_HYBRIDS)
+        set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 1)
+        message(STATUS "Looking for WOLFSSL_EXTRA_PQC_HYBRIDS - found")
+        list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_EXTRA_PQC_HYBRIDS")
+    else()
+        message(STATUS "Looking for WOLFSSL_EXTRA_PQC_HYBRIDS - not found")
+    endif()
+
     # Other experimental feature detection can be added here...
 
     # Were any experimental features found? Display a message.

IDE/WIN10/wolfssl-fips.vcxproj

@@ -292,6 +292,8 @@
     <ClCompile Include="..\..\wolfcrypt\src\logging.c" />
     <ClCompile Include="..\..\wolfcrypt\src\md5.c" />
     <ClCompile Include="..\..\wolfcrypt\src\memory.c" />
+    <ClCompile Include="..\..\wolfcrypt\src\wc_mlkem.c" />
+    <ClCompile Include="..\..\wolfcrypt\src\wc_mlkem_poly.c" />
     <ClCompile Include="..\..\src\ocsp.c" />
     <ClCompile Include="..\..\wolfcrypt\src\sha3.c" />
     <ClCompile Include="..\..\wolfcrypt\src\sp_c32.c" />