Enable and use ML-KEM by default

* Enable ML-KEM by default
* Only allow three to-be-standardized hybrid PQ/T combinatations by
  default
* Use X25519MLKEM768 as the default KeyShare in the ClientHello (if user
  does not override that)
* Disable standalone ML-KEM in supported groups by default (enable with
  --enable-tls-mlkem-standalone)
* Disable extra OQS-based hybrid PQ/T curves by default and gate
  behind --enable-experimental (enable with --enable-extra-pqc-hybrids)
* Reorder the SupportedGroups extension to reflect the preferences
* Reorder the preferredGroup array to also reflect the same preferences
* Enable DTLS1.3 ClientHello fragmentation by default when both DTLS1.3
  and ML-KEM are enabled
* Fix memory leak in TLS server PQC handling in case of ECH

Author: Frauschi

.github/workflows/cmake.yml

@@ -69,9 +69,9 @@ jobs:
             -DWOLFSSL_TICKET_NONCE_MALLOC:BOOL=yes -DWOLFSSL_TLS13:BOOL=yes -DWOLFSSL_TLSV12:BOOL=yes \
             -DWOLFSSL_TLSX:BOOL=yes -DWOLFSSL_TPM:BOOL=yes -DWOLFSSL_CLU:BOOL=yes -DWOLFSSL_USER_SETTINGS:BOOL=no \
             -DWOLFSSL_USER_SETTINGS_ASM:BOOL=no -DWOLFSSL_WOLFSSH:BOOL=ON -DWOLFSSL_X86_64_BUILD_ASM:BOOL=yes \
-            -DWOLFSSL_MLKEM=1 -DWOLFSSL_LMS=1 -DWOLFSSL_LMSSHA256192=1 -DWOLFSSL_EXPERIMENTAL=1 \
-            -DWOLFSSL_X963KDF:BOOL=yes -DWOLFSSL_DILITHIUM:BOOL=yes -DWOLFSSL_PKCS11:BOOL=yes \
-            -DWOLFSSL_ECCSI:BOOL=yes -DWOLFSSL_SAKKE:BOOL=yes -DWOLFSSL_SIPHASH:BOOL=yes \
+            -DWOLFSSL_MLKEM:BOOL=yes -DWOLFSSL_EXTRA_PQC_HYBRIDS:BOOL=yes -DWOLFSSL_LMS:BOOL=yes \
+            -DWOLFSSL_LMSSHA256192:BOOL=yes -DWOLFSSL_X963KDF:BOOL=yes -DWOLFSSL_DILITHIUM:BOOL=yes \
+            -DWOLFSSL_PKCS11:BOOL=yes -DWOLFSSL_ECCSI:BOOL=yes -DWOLFSSL_SAKKE:BOOL=yes -DWOLFSSL_SIPHASH:BOOL=yes \
             -DWOLFSSL_WC_RSA_DIRECT:BOOL=yes -DWOLFSSL_PUBLIC_MP:BOOL=yes \
             ..
         cmake --build .

.github/workflows/os-check.yml

@@ -38,6 +38,12 @@ jobs:
           '--enable-experimental --enable-kyber --enable-dtls --enable-dtls13
              --enable-dtls-frag-ch',
           '--enable-all --enable-dtls13 --enable-dtls-frag-ch',
+          '--enable-all --enable-dtls13 --enable-dtls-frag-ch --disable-mlkem',
+          '--enable-all --enable-dtls13 --enable-dtls-frag-ch
+           --enable-tls-mlkem-standalone',
+          '--enable-all --enable-dtls13 --enable-dtls-frag-ch
+           --enable-tls-mlkem-standalone --enable-experimental
+           --enable-extra-pqc-hybrids',
           '--enable-dtls --enable-dtls13 --enable-dtls-frag-ch
            --enable-dtls-mtu',
           '--enable-dtls --enable-dtlscid --enable-dtls13 --enable-secure-renegotiation

.github/workflows/psk.yml

@@ -18,9 +18,9 @@ jobs:
       matrix:
         config: [
           # Add new configs here
-          '--enable-psk C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --disable-rsa --disable-ecc --disable-dh',
-          '--disable-oldtls --disable-tls13 --enable-psk -disable-rsa --disable-dh -disable-ecc --disable-asn C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --enable-lowresource --enable-singlethreaded --disable-asm --disable-errorstrings --disable-pkcs12 --disable-sha3 --disable-sha224 --disable-sha384 --disable-sha512 --disable-sha --disable-md5 -disable-aescbc --disable-chacha --disable-poly1305 --disable-coding --disable-sp-math-all',
-          '--disable-oldtls --disable-tlsv12 --enable-tls13 --enable-psk -disable-rsa --disable-dh -disable-ecc --disable-asn C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --enable-lowresource --enable-singlethreaded --disable-asm --disable-errorstrings --disable-pkcs12 --disable-sha3 --disable-sha224 --disable-sha384 --disable-sha512 --disable-sha --disable-md5 -disable-aescbc --disable-chacha --disable-poly1305 --disable-coding --disable-sp-math-all'
+          '--enable-psk C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --disable-rsa --disable-ecc --disable-dh --disable-mlkem',
+          '--disable-oldtls --disable-tls13 --enable-psk -disable-rsa --disable-dh -disable-ecc --disable-asn C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --enable-lowresource --enable-singlethreaded --disable-asm --disable-errorstrings --disable-pkcs12 --disable-sha3 --disable-sha224 --disable-sha384 --disable-sha512 --disable-sha --disable-md5 -disable-aescbc --disable-chacha --disable-poly1305 --disable-coding --disable-sp-math-all --disable-mlkem',
+          '--disable-oldtls --disable-tlsv12 --enable-tls13 --enable-psk -disable-rsa --disable-dh -disable-ecc --disable-asn C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --enable-lowresource --enable-singlethreaded --disable-asm --disable-errorstrings --disable-pkcs12 --disable-sha3 --disable-sha224 --disable-sha384 --disable-sha512 --disable-sha --disable-md5 -disable-aescbc --disable-chacha --disable-poly1305 --disable-coding --disable-sp-math-all --disable-mlkem'
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'

.github/workflows/rust-wrapper.yml

@@ -39,36 +39,36 @@ jobs:
           '',
           '--enable-all',
           '--enable-cryptonly --disable-examples',
-          '--enable-cryptonly --disable-examples --disable-aes --disable-aesgcm',
-          '--enable-cryptonly --disable-examples --disable-aescbc',
-          '--enable-cryptonly --disable-examples --disable-aeseax',
-          '--enable-cryptonly --disable-examples --disable-aesecb',
-          '--enable-cryptonly --disable-examples --disable-aesccm',
-          '--enable-cryptonly --disable-examples --disable-aescfb',
-          '--enable-cryptonly --disable-examples --disable-aesctr',
-          '--enable-cryptonly --disable-examples --disable-aescts',
-          '--enable-cryptonly --disable-examples --disable-aesgcm',
-          '--enable-cryptonly --disable-examples --disable-aesgcm-stream',
-          '--enable-cryptonly --disable-examples --disable-aesofb',
-          '--enable-cryptonly --disable-examples --disable-aesxts',
-          '--enable-cryptonly --disable-examples --disable-cmac',
-          '--enable-cryptonly --disable-examples --disable-dh',
-          '--enable-cryptonly --disable-examples --disable-ecc',
-          '--enable-cryptonly --disable-examples --disable-ed25519',
-          '--enable-cryptonly --disable-examples --disable-ed25519-stream',
-          '--enable-cryptonly --disable-examples --disable-ed448',
-          '--enable-cryptonly --disable-examples --disable-ed448-stream',
-          '--enable-cryptonly --disable-examples --disable-hkdf',
-          '--enable-cryptonly --disable-examples --disable-hmac',
-          '--enable-cryptonly --disable-examples --disable-rng',
-          '--enable-cryptonly --disable-examples --disable-rsa',
-          '--enable-cryptonly --disable-examples --disable-rsapss',
-          '--enable-cryptonly --disable-examples --disable-sha224',
-          '--enable-cryptonly --disable-examples --disable-sha3',
-          '--enable-cryptonly --disable-examples --disable-sha384',
-          '--enable-cryptonly --disable-examples --disable-sha512',
-          '--enable-cryptonly --disable-examples --disable-shake128',
-          '--enable-cryptonly --disable-examples --disable-shake256',
-          '--enable-cryptonly --disable-examples --disable-srtp-kdf',
-          '--enable-cryptonly --disable-examples --disable-x963kdf',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aes --disable-aesgcm',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aescbc',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aeseax',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesecb',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesccm',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aescfb',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesctr',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aescts',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesgcm',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesgcm-stream',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesofb',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-aesxts',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-cmac',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-dh',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ecc',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ed25519',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ed25519-stream',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ed448',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-ed448-stream',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-hkdf',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-hmac',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-rng',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-rsa',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-rsapss',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-sha224',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-sha3',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-sha384',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-sha512',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-shake128',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-shake256',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-srtp-kdf',
+          '--enable-cryptonly --disable-examples --disable-mlkem --disable-x963kdf',
         ]

CMakeLists.txt

@@ -610,13 +610,58 @@ add_option(WOLFSSL_OQS
 # ML-KEM/Kyber
 add_option(WOLFSSL_MLKEM
     "Enable the wolfSSL PQ ML-KEM library (default: disabled)"
-    "no" "yes;no")
+    "yes" "yes;no")
+
+if (WOLFSSL_MLKEM)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_HAVE_MLKEM")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_WC_MLKEM")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHA3")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHAKE128")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHAKE256")
+
+    set_wolfssl_definitions("WOLFSSL_HAVE_MLKEM" RESULT)
+    set_wolfssl_definitions("WOLFSSL_WC_MLKEM"   RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHA3"       RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHAKE128"   RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESULT)
+endif()
+
+# When MLKEM and DTLS 1.3 are both enabled, DTLS ClientHello fragmenting is
+# required (PQC keys in ClientHello can exceed MTU), so enable it automatically.
+if(WOLFSSL_MLKEM AND WOLFSSL_DTLS13 AND NOT WOLFSSL_DTLS_CH_FRAG)
+    message(STATUS "MLKEM and DTLS 1.3 are enabled; enabling DTLS ClientHello fragmenting")
+    override_cache(WOLFSSL_DTLS_CH_FRAG "yes")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_DTLS_CH_FRAG")
+endif()
+
+# Disable ML-KEM as standalone TLS key exchange (non-hybrid); when enabled (default), standalone is disabled
+add_option(WOLFSSL_TLS_NO_MLKEM_STANDALONE
+    "Disable ML-KEM as standalone TLS key exchange (non-hybrid) (default: enabled, i.e. standalone disabled)"
+    "yes" "yes;no")
+
+if (WOLFSSL_TLS_NO_MLKEM_STANDALONE)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_TLS_NO_MLKEM_STANDALONE")
+endif()
 
 # Dilithium
 add_option(WOLFSSL_DILITHIUM
     "Enable the wolfSSL PQ Dilithium (ML-DSA) implementation (default: disabled)"
     "no" "yes;no")
 
+if (WOLFSSL_DILITHIUM)
+    list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_DILITHIUM")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_WC_DILITHIUM")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHA3")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHAKE128")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHAKE256")
+
+    set_wolfssl_definitions("HAVE_DILITHIUM"       RESULT)
+    set_wolfssl_definitions("WOLFSSL_WC_DILITHIUM" RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHA3"         RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHAKE128"     RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHAKE256"     RESULT)
+endif()
+
 # LMS
 add_option(WOLFSSL_LMS
     "Enable the PQ LMS Stateful Hash-based Signature Scheme (default: disabled)"
@@ -626,11 +671,31 @@ add_option(WOLFSSL_LMSSHA256192
     "Enable the LMS SHA_256_192 truncated variant (default: disabled)"
     "no" "yes;no")
 
+if (WOLFSSL_LMS)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_HAVE_LMS")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_WC_LMS")
+
+    set_wolfssl_definitions("WOLFSSL_HAVE_LMS" RESULT)
+    set_wolfssl_definitions("WOLFSSL_WC_LMS"   RESULT)
+
+    if (WOLFSSL_LMSSHA256192)
+        list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_LMS_SHA256_192")
+        list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_NO_LMS_SHA256_256")
+
+        set_wolfssl_definitions("WOLFSSL_LMS_SHA256_192"    RESULT)
+        set_wolfssl_definitions("WOLFSSL_NO_LMS_SHA256_256" RESULT)
+    endif()
+endif()
+
 # Experimental features
 add_option(WOLFSSL_EXPERIMENTAL
     "Enable experimental features (default: disabled)"
     "no" "yes;no")
 
+add_option(WOLFSSL_EXTRA_PQC_HYBRIDS
+    "Enable extra PQ/T hybrid combinations (default: disabled)"
+    "no" "yes;no")
+
 message(STATUS "Looking for WOLFSSL_EXPERIMENTAL")
 if (WOLFSSL_EXPERIMENTAL)
     message(STATUS "Looking for WOLFSSL_EXPERIMENTAL - found")
@@ -666,75 +731,14 @@ if (WOLFSSL_EXPERIMENTAL)
         message(STATUS "Looking for WOLFSSL_OQS - not found")
     endif()
 
-    # Checking for experimental feature: WOLFSSL_MLKEM
-    message(STATUS "Looking for WOLFSSL_MLKEM")
-    if (WOLFSSL_MLKEM)
-        set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 1)
-
-        message(STATUS "Automatically set related requirements for ML-KEM:")
-        add_definitions("-DWOLFSSL_HAVE_MLKEM")
-        add_definitions("-DWOLFSSL_WC_MLKEM")
-        add_definitions("-DWOLFSSL_SHA3")
-        add_definitions("-DWOLFSSL_SHAKE128")
-        add_definitions("-DWOLFSSL_SHAKE256")
-
-        set_wolfssl_definitions("WOLFSSL_HAVE_MLKEM" RESULT)
-        set_wolfssl_definitions("WOLFSSL_WC_MLKEM"   RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHA3"       RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE128"   RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESULT)
-        message(STATUS "Looking for WOLFSSL_MLKEM - found")
-    else()
-        message(STATUS "Looking for WOLFSSL_MLKEM - not found")
-    endif()
-
-    # Checking for experimental feature: WOLFSSL_LMS
-    message(STATUS "Looking for WOLFSSL_LMS")
-    if (WOLFSSL_LMS)
-        set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 2)
-
-        message(STATUS "Automatically set related requirements for LMS")
-        add_definitions("-DWOLFSSL_HAVE_LMS")
-        add_definitions("-DWOLFSSL_WC_LMS")
-        set_wolfssl_definitions("WOLFSSL_HAVE_LMS" RESULT)
-        set_wolfssl_definitions("WOLFSSL_WC_LMS"   RESULT)
-        message(STATUS "Looking for WOLFSSL_LMS - found")
-        # Checking for experimental feature: WOLFSSL_LMSSHA256192
-        if (WOLFSSL_LMSSHA256192)
-            message(STATUS "Automatically set related requirements for LMS SHA256-192")
-            add_definitions("-DWOLFSSL_LMS_SHA256_192")
-            add_definitions("-DWOLFSSL_NO_LMS_SHA256_256")
-            set_wolfssl_definitions("WOLFSSL_LMS_SHA256_192"    RESULT)
-            set_wolfssl_definitions("WOLFSSL_NO_LMS_SHA256_256" RESULT)
-            message(STATUS "Looking for WOLFSSL_LMSSHA256192 - found")
-        else()
-            message(STATUS "Looking for WOLFSSL_LMSSHA256192 - not found")
-        endif()
-    else()
-        message(STATUS "Looking for WOLFSSL_LMS - not found")
-    endif()
-
-    # Checking for experimental feature: Dilithium
-    message(STATUS "Looking for WOLFSSL_DILITHIUM")
-    if (WOLFSSL_DILITHIUM)
+    # Checking for experimental feature: extra PQ/T hybrid combinations
+    message(STATUS "Looking for WOLFSSL_EXTRA_PQC_HYBRIDS")
+    if (WOLFSSL_EXTRA_PQC_HYBRIDS)
         set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 1)
-
-        message(STATUS "Automatically set related requirements for Dilithium:")
-        add_definitions("-DHAVE_DILITHIUM")
-        add_definitions("-DWOLFSSL_WC_DILITHIUM")
-        add_definitions("-DWOLFSSL_SHA3")
-        add_definitions("-DWOLFSSL_SHAKE128")
-        add_definitions("-DWOLFSSL_SHAKE256")
-
-        message(STATUS "Automatically set related requirements for Dilithium:")
-        set_wolfssl_definitions("HAVE_DILITHIUM"       RESULT)
-        set_wolfssl_definitions("WOLFSSL_WC_DILITHIUM" RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHA3"         RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE128"     RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE256"     RESULT)
-        message(STATUS "Looking for WOLFSSL_DILITHIUM - found")
+        message(STATUS "Looking for WOLFSSL_EXTRA_PQC_HYBRIDS - found")
+        list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_EXTRA_PQC_HYBRIDS")
     else()
-        message(STATUS "Looking for WOLFSSL_DILITHIUM - not found")
+        message(STATUS "Looking for WOLFSSL_EXTRA_PQC_HYBRIDS - not found")
     endif()
 
     # Other experimental feature detection can be added here...
@@ -759,12 +763,6 @@ else()
     if (WOLFSSL_OQS)
         message(FATAL_ERROR "Error: WOLFSSL_OQS requires WOLFSSL_EXPERIMENTAL at this time.")
     endif()
-    if(WOLFSSL_MLKEM)
-        message(FATAL_ERROR "Error: WOLFSSL_MLKEM requires WOLFSSL_EXPERIMENTAL at this time.")
-    endif()
-    if(WOLFSSL_DILITHIUM)
-        message(FATAL_ERROR "Error: WOLFSSL_DILITHIUM requires WOLFSSL_EXPERIMENTAL at this time.")
-    endif()
 endif()
 
 # LMS

cmake/options.h.in

@@ -380,6 +380,8 @@ extern "C" {
 #cmakedefine WOLFSSL_HAVE_MLKEM
 #undef WOLFSSL_WC_MLKEM
 #cmakedefine WOLFSSL_WC_MLKEM
+#undef WOLFSSL_TLS_NO_MLKEM_STANDALONE
+#cmakedefine WOLFSSL_TLS_NO_MLKEM_STANDALONE
 #undef WOLFSSL_WC_DILITHIUM
 #cmakedefine WOLFSSL_WC_DILITHIUM
 #undef NO_WOLFSSL_STUB
@@ -408,6 +410,8 @@ extern "C" {
 #cmakedefine WOLFSSL_WC_XMSS
 #undef WC_RSA_DIRECT
 #cmakedefine WC_RSA_DIRECT
+#undef WOLFSSL_EXTRA_PQC_HYBRIDS
+#cmakedefine WOLFSSL_EXTRA_PQC_HYBRIDS
 
 #ifdef __cplusplus
 }