wolfSSL · Frauschi · Mar 24, 2026 · Mar 25, 2026 · Apr 9, 2026
diff --git a/.github/workflows/clang-tidy.yml b/.github/workflows/clang-tidy.yml
@@ -43,7 +43,7 @@ jobs:
           - name: "NSS+TPM Build"
             configure_flags: "--enable-nss --enable-tpm"
           - name: "PKCS#11 V3.2 PQC Build"
-            configure_flags: "--enable-pkcs11v32 --enable-mldsa"
+            configure_flags: "--enable-pkcs11v32 --enable-mldsa --enable-mlkem"
 
     steps:
     # Checkout wolfPKCS11

diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml
@@ -62,7 +62,7 @@ jobs:
             -DWOLFPKCS11_AESKEYWRAP:BOOL=yes -DWOLFPKCS11_AESCTR:BOOL=yes -DWOLFPKCS11_AESCCM:BOOL=yes \
             -DWOLFPKCS11_AESECB:BOOL=yes -DWOLFPKCS11_AESCTS:BOOL=yes -DWOLFPKCS11_AESCMAC:BOOL=yes \
             -DWOLFPKCS11_PBKDF2:BOOL=yes -DWOLFPKCS11_SHA3:BOOL=yes -DWOLFPKCS11_PKCS11_V3_0:BOOL=yes \
-            -DWOLFPKCS11_PKCS11_V3_2:BOOL=yes -DWOLFPKCS11_MLDSA:BOOL=yes \
+            -DWOLFPKCS11_PKCS11_V3_2:BOOL=yes -DWOLFPKCS11_MLDSA:BOOL=yes -DWOLFPKCS11_MLKEM:BOOL=yes \
             -DCMAKE_MODULE_PATH="$GITHUB_WORKSPACE/install/${CMAKE_INSTALL_LIBDIR}" \
             ..
         cmake --build .

diff --git a/.github/workflows/sanitizer-tests.yml b/.github/workflows/sanitizer-tests.yml
@@ -26,7 +26,7 @@ jobs:
           - name: "NSS+TPM Build"
             configure_flags: "--enable-nss --enable-tpm"
           - name: "PKCS#11 V3.2 PQC Build"
-            configure_flags: "--enable-pkcs11v32 --enable-mldsa"
+            configure_flags: "--enable-pkcs11v32 --enable-mldsa --enable-mlkem"
 
     steps:
 #pull wolfPKCS11

diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
@@ -106,6 +106,10 @@ jobs:
     uses: ./.github/workflows/build-workflow.yml
     with:
       config: --enable-mldsa
+  mlkem:
+    uses: ./.github/workflows/build-workflow.yml
+    with:
+      config: --enable-mlkem
   debug:
     uses: ./.github/workflows/build-workflow.yml
     with:

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -474,12 +474,42 @@ endif()
 
 if(WOLFPKCS11_MLDSA)
     if(NOT WOLFPKCS11_PKCS11_V3_2)
-        message(FATAL_ERROR "ML-DSA requires PKCS#11 Version 3.2 support (enable WOLFPKCS11_PKCS11_V3_2)")
+        message(STATUS "ML-DSA requires PKCS#11 v3.2 support — enabling WOLFPKCS11_PKCS11_V3_2 automatically")
+        override_cache(WOLFPKCS11_PKCS11_V3_2 "yes")
+        if(NOT WOLFPKCS11_PKCS11_V3_0)
+            override_cache(WOLFPKCS11_PKCS11_V3_0 "yes")
+            list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_PKCS11_V3_0")
+        endif()
+        list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_PKCS11_V3_2")
     endif()
     list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_MLDSA")
 endif()
 
 
+# ML-KEM
+add_option("WOLFPKCS11_MLKEM"
+    "Enable wolfPKCS11 ML-KEM support (default: disabled)"
+    "no" "yes;no"
+)
+
+if(NOT WOLFPKCS11_SHA3)
+    override_cache(WOLFPKCS11_MLKEM "no")
+endif()
+
+if(WOLFPKCS11_MLKEM)
+    if(NOT WOLFPKCS11_PKCS11_V3_2)
+        message(STATUS "ML-KEM requires PKCS#11 v3.2 support — enabling WOLFPKCS11_PKCS11_V3_2 automatically")
+        override_cache(WOLFPKCS11_PKCS11_V3_2 "yes")
+        if(NOT WOLFPKCS11_PKCS11_V3_0)
+            override_cache(WOLFPKCS11_PKCS11_V3_0 "yes")
+            list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_PKCS11_V3_0")
+        endif()
+        list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_PKCS11_V3_2")
+    endif()
+    list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_MLKEM")
+endif()
+
+
 # If wolfpkcs11/options.h exists, delete it to avoid
 # a mixup with build/wolfpkcs11/options.h.
 if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/wolfpkcs11/options.h")

diff --git a/README.md b/README.md
@@ -64,6 +64,16 @@ As ML-DSA is a feature of PKCS#11 version 3.2, support for that is required,
 too. Hence, to enable all in wolfPKCS11, add `--enable-pkcs11v32 --enable-mldsa`
 during the configure step.
 
+### Optional: PQC ML-KEM Support
+
+To have ML-KEM support in wolfPKCS11, configure wolfSSL with ML-KEM (FIPS 203)
+support enabled, either by adding `--enable-mlkem` to `./configure` or by
+setting `WOLFPKCS11_MLKEM` to `yes` in CMake.
+
+As ML-KEM is a feature of PKCS#11 version 3.2, support for that is required,
+too. Hence, to enable all in wolfPKCS11, add `--enable-pkcs11v32 --enable-mlkem`
+during the configure step.
+
 ### Build options and defines
 
 #### Define WOLFPKCS11_TPM_STORE
@@ -207,7 +217,8 @@ cmake -DCMAKE_PREFIX_PATH=/path/to/wolfssl/install ..
 | `WOLFPKCS11_NSS` | `no` | NSS-specific modifications |
 | `WOLFPKCS11_PKCS11_V3_0` | `yes` | PKCS#11 v3.0 support |
 | `WOLFPKCS11_PKCS11_V3_2` | `no` | PKCS#11 v3.2 support |
-| `WOLFPKCS11_MLDSA` | `no`| ML-DSA support |
+| `WOLFPKCS11_MLDSA` | `no` | ML-DSA support |
+| `WOLFPKCS11_MLKEM` | `no` | ML-KEM support |
 | `WOLFPKCS11_EXAMPLES` | `yes` | Build examples |
 | `WOLFPKCS11_TESTS` | `yes` | Build and register tests |
 | `WOLFPKCS11_COVERAGE` | `no` | Code coverage support |

diff --git a/cmake/options.h.in b/cmake/options.h.in
@@ -94,6 +94,8 @@ extern "C" {
 #cmakedefine WOLFSSL_SHA3
 #undef WOLFPKCS11_MLDSA
 #cmakedefine WOLFPKCS11_MLDSA
+#undef WOLFPKCS11_MLKEM
+#cmakedefine WOLFPKCS11_MLKEM
 #undef WOLFPKCS11_TPM
 #cmakedefine WOLFPKCS11_TPM
 #undef WOLFPKCS11_NSS

diff --git a/configure.ac b/configure.ac
@@ -533,10 +533,39 @@ then
     if test "$ENABLED_PKCS11V3_2" = "no"; then
         ENABLED_PKCS11V3_2=yes
         AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_PKCS11_V3_2"
+        if test "$ENABLED_PKCS11V3_0" = "no"; then
+            ENABLED_PKCS11V3_0=yes
+            AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_PKCS11_V3_0"
+        fi
     fi
     AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_MLDSA"
 fi
 
+AC_ARG_ENABLE([mlkem],
+    [AS_HELP_STRING([--enable-mlkem],[Enable ML-KEM (default: disabled)])],
+    [ ENABLED_MLKEM=$enableval ],
+    [ ENABLED_MLKEM=no ]
+    )
+
+if test "$ENABLED_SHA3" = "no"
+then
+    echo "ML-KEM requires SHA-3 support (disabled), disabling ML-KEM"
+    ENABLED_MLKEM=no
+fi
+
+if test "$ENABLED_MLKEM" = "yes"
+then
+    if test "$ENABLED_PKCS11V3_2" = "no"; then
+        ENABLED_PKCS11V3_2=yes
+        AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_PKCS11_V3_2"
+        if test "$ENABLED_PKCS11V3_0" = "no"; then
+            ENABLED_PKCS11V3_0=yes
+            AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_PKCS11_V3_0"
+        fi
+    fi
+    AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_MLKEM"
+fi
+
 
 AM_CONDITIONAL([BUILD_STATIC],[test "x$enable_shared" = "xno"])
 
@@ -725,6 +754,7 @@ echo "   * DH:                         $ENABLED_DH"
 echo "   * ECC:                        $ENABLED_ECC"
 echo "   * HKDF:                       $ENABLED_HKDF"
 echo "   * ML-DSA:                     $ENABLED_MLDSA"
+echo "   * ML-KEM:                     $ENABLED_MLKEM"
 echo "   * NSS modifications:          $ENABLED_NSS"
 echo "   * Default token path:         $WOLFPKCS11_DEFAULT_TOKEN_PATH"
 echo "   * PKCS#11 Version 3.0:        $ENABLED_PKCS11V3_0"