wolfSSL
diff --git a/‎.github/workflows/clang-tidy.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/clang-tidy.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/cmake.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/cmake.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/sanitizer-tests.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/sanitizer-tests.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/unit-test.yml‎
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/unit-test.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 5 additions & 0 deletions b/‎.gitignore‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎CMakeLists.txt‎
Lines changed: 31 additions & 1 deletion b/‎CMakeLists.txt‎
Lines changed: 31 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 12 additions & 1 deletion b/‎README.md‎
Lines changed: 12 additions & 1 deletion
diff --git a/‎cmake/options.h.in‎
Lines changed: 2 additions & 0 deletions b/‎cmake/options.h.in‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎configure.ac‎
Lines changed: 30 additions & 0 deletions b/‎configure.ac‎
Lines changed: 30 additions & 0 deletions
@@ -43,7 +43,7 @@ jobs:
           - name: "NSS+TPM Build"
             configure_flags: "--enable-nss --enable-tpm"
           - name: "PKCS#11 V3.2 PQC Build"
-            configure_flags: "--enable-pkcs11v32 --enable-mldsa"
+            configure_flags: "--enable-pkcs11v32 --enable-mldsa --enable-mlkem"
 
     steps:
     # Checkout wolfPKCS11
 
@@ -62,7 +62,7 @@ jobs:
             -DWOLFPKCS11_AESKEYWRAP:BOOL=yes -DWOLFPKCS11_AESCTR:BOOL=yes -DWOLFPKCS11_AESCCM:BOOL=yes \
             -DWOLFPKCS11_AESECB:BOOL=yes -DWOLFPKCS11_AESCTS:BOOL=yes -DWOLFPKCS11_AESCMAC:BOOL=yes \
             -DWOLFPKCS11_PBKDF2:BOOL=yes -DWOLFPKCS11_SHA3:BOOL=yes -DWOLFPKCS11_PKCS11_V3_0:BOOL=yes \
-            -DWOLFPKCS11_PKCS11_V3_2:BOOL=yes -DWOLFPKCS11_MLDSA:BOOL=yes \
+            -DWOLFPKCS11_PKCS11_V3_2:BOOL=yes -DWOLFPKCS11_MLDSA:BOOL=yes -DWOLFPKCS11_MLKEM:BOOL=yes \
             -DCMAKE_MODULE_PATH="$GITHUB_WORKSPACE/install/${CMAKE_INSTALL_LIBDIR}" \
             ..
         cmake --build .
 
@@ -26,7 +26,7 @@ jobs:
           - name: "NSS+TPM Build"
             configure_flags: "--enable-nss --enable-tpm"
           - name: "PKCS#11 V3.2 PQC Build"
-            configure_flags: "--enable-pkcs11v32 --enable-mldsa"
+            configure_flags: "--enable-pkcs11v32 --enable-mldsa --enable-mlkem"
 
     steps:
 #pull wolfPKCS11
 
@@ -106,6 +106,10 @@ jobs:
     uses: ./.github/workflows/build-workflow.yml
     with:
       config: --enable-mldsa
+  mlkem:
+    uses: ./.github/workflows/build-workflow.yml
+    with:
+      config: --enable-mlkem
   debug:
     uses: ./.github/workflows/build-workflow.yml
     with:
 
@@ -43,6 +43,9 @@ tests/rsa_session_persistence_test
 tests/debug_test
 tests/token_path_test
 tests/pkcs11v3test
+tests/aes_cbc_pad_padding_test
+tests/ecb_check_value_error_test
+tests/find_objects_null_template_test
 examples/add_aes_key
 examples/add_hmac_key
 examples/add_rsa_key
@@ -54,8 +57,10 @@ examples/obj_list
 examples/slot_info
 examples/token_info
 store/wp11*
+store/cbc_pad_padding_test
 store/debug
 store/empty_pin_test
+store/find_null_test
 store/object
 store/pkcs11mtt
 store/pkcs11test
 
@@ -474,12 +474,42 @@ endif()
 
 if(WOLFPKCS11_MLDSA)
     if(NOT WOLFPKCS11_PKCS11_V3_2)
-        message(FATAL_ERROR "ML-DSA requires PKCS#11 Version 3.2 support (enable WOLFPKCS11_PKCS11_V3_2)")
+        message(STATUS "ML-DSA requires PKCS#11 v3.2 support — enabling WOLFPKCS11_PKCS11_V3_2 automatically")
+        override_cache(WOLFPKCS11_PKCS11_V3_2 "yes")
+        if(NOT WOLFPKCS11_PKCS11_V3_0)
+            override_cache(WOLFPKCS11_PKCS11_V3_0 "yes")
+            list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_PKCS11_V3_0")
+        endif()
+        list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_PKCS11_V3_2")
     endif()
     list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_MLDSA")
 endif()
 
 
+# ML-KEM
+add_option("WOLFPKCS11_MLKEM"
+    "Enable wolfPKCS11 ML-KEM support (default: disabled)"
+    "no" "yes;no"
+)
+
+if(NOT WOLFPKCS11_SHA3)
+    override_cache(WOLFPKCS11_MLKEM "no")
+endif()
+
+if(WOLFPKCS11_MLKEM)
+    if(NOT WOLFPKCS11_PKCS11_V3_2)
+        message(STATUS "ML-KEM requires PKCS#11 v3.2 support — enabling WOLFPKCS11_PKCS11_V3_2 automatically")
+        override_cache(WOLFPKCS11_PKCS11_V3_2 "yes")
+        if(NOT WOLFPKCS11_PKCS11_V3_0)
+            override_cache(WOLFPKCS11_PKCS11_V3_0 "yes")
+            list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_PKCS11_V3_0")
+        endif()
+        list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_PKCS11_V3_2")
+    endif()
+    list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_MLKEM")
+endif()
+
+
 # If wolfpkcs11/options.h exists, delete it to avoid
 # a mixup with build/wolfpkcs11/options.h.
 if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/wolfpkcs11/options.h")
 
@@ -64,6 +64,16 @@ As ML-DSA is a feature of PKCS#11 version 3.2, support for that is required,
 too. Hence, to enable all in wolfPKCS11, add `--enable-pkcs11v32 --enable-mldsa`
 during the configure step.
 
+### Optional: PQC ML-KEM Support
+
+To have ML-KEM support in wolfPKCS11, configure wolfSSL with ML-KEM (FIPS 203)
+support enabled, either by adding `--enable-mlkem` to `./configure` or by
+setting `WOLFPKCS11_MLKEM` to `yes` in CMake.
+
+As ML-KEM is a feature of PKCS#11 version 3.2, support for that is required,
+too. Hence, to enable all in wolfPKCS11, add `--enable-pkcs11v32 --enable-mlkem`
+during the configure step.
+
 ### Build options and defines
 
 #### Define WOLFPKCS11_TPM_STORE
@@ -207,7 +217,8 @@ cmake -DCMAKE_PREFIX_PATH=/path/to/wolfssl/install ..
 | `WOLFPKCS11_NSS` | `no` | NSS-specific modifications |
 | `WOLFPKCS11_PKCS11_V3_0` | `yes` | PKCS#11 v3.0 support |
 | `WOLFPKCS11_PKCS11_V3_2` | `no` | PKCS#11 v3.2 support |
-| `WOLFPKCS11_MLDSA` | `no`| ML-DSA support |
+| `WOLFPKCS11_MLDSA` | `no` | ML-DSA support |
+| `WOLFPKCS11_MLKEM` | `no` | ML-KEM support |
 | `WOLFPKCS11_EXAMPLES` | `yes` | Build examples |
 | `WOLFPKCS11_TESTS` | `yes` | Build and register tests |
 | `WOLFPKCS11_COVERAGE` | `no` | Code coverage support |
 
@@ -94,6 +94,8 @@ extern "C" {
 #cmakedefine WOLFSSL_SHA3
 #undef WOLFPKCS11_MLDSA
 #cmakedefine WOLFPKCS11_MLDSA
+#undef WOLFPKCS11_MLKEM
+#cmakedefine WOLFPKCS11_MLKEM
 #undef WOLFPKCS11_TPM
 #cmakedefine WOLFPKCS11_TPM
 #undef WOLFPKCS11_NSS
 
@@ -533,10 +533,39 @@ then
     if test "$ENABLED_PKCS11V3_2" = "no"; then
         ENABLED_PKCS11V3_2=yes
         AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_PKCS11_V3_2"
+        if test "$ENABLED_PKCS11V3_0" = "no"; then
+            ENABLED_PKCS11V3_0=yes
+            AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_PKCS11_V3_0"
+        fi
     fi
     AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_MLDSA"
 fi
 
+AC_ARG_ENABLE([mlkem],
+    [AS_HELP_STRING([--enable-mlkem],[Enable ML-KEM (default: disabled)])],
+    [ ENABLED_MLKEM=$enableval ],
+    [ ENABLED_MLKEM=no ]
+    )
+
+if test "$ENABLED_SHA3" = "no"
+then
+    echo "ML-KEM requires SHA-3 support (disabled), disabling ML-KEM"
+    ENABLED_MLKEM=no
+fi
+
+if test "$ENABLED_MLKEM" = "yes"
+then
+    if test "$ENABLED_PKCS11V3_2" = "no"; then
+        ENABLED_PKCS11V3_2=yes
+        AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_PKCS11_V3_2"
+        if test "$ENABLED_PKCS11V3_0" = "no"; then
+            ENABLED_PKCS11V3_0=yes
+            AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_PKCS11_V3_0"
+        fi
+    fi
+    AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_MLKEM"
+fi
+
 
 AM_CONDITIONAL([BUILD_STATIC],[test "x$enable_shared" = "xno"])
 
@@ -725,6 +754,7 @@ echo "   * DH:                         $ENABLED_DH"
 echo "   * ECC:                        $ENABLED_ECC"
 echo "   * HKDF:                       $ENABLED_HKDF"
 echo "   * ML-DSA:                     $ENABLED_MLDSA"
+echo "   * ML-KEM:                     $ENABLED_MLKEM"
 echo "   * NSS modifications:          $ENABLED_NSS"
 echo "   * Default token path:         $WOLFPKCS11_DEFAULT_TOKEN_PATH"
 echo "   * PKCS#11 Version 3.0:        $ENABLED_PKCS11V3_0"