diff --git a/CMakeLists.txt b/CMakeLists.txt
index f67b67a06..8cafb4a0a 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1774,6 +1774,42 @@ if(WOLFSSL_AESKEYWRAP)
         )
 endif()
 
+# Hybrid Public Key Encryption (RFC9180)
+add_option("WOLFSSL_HPKE"
+        "Enable wolfSSL hybrid public key encryption (default: disabled)"
+        "no" "yes;no")
+
+# Encrypted Client Hello (ECH)
+add_option("WOLFSSL_ECH"
+        "Enable wolfSSL encrypted client hello (default: disabled)"
+        "no" "yes;no")
+
+# Keying Material Exporter / TLS Exporter
+add_option("WOLFSSL_KEYING_MATERIAL"
+        "Enable wolfSSL keying material export (default: disabled)"
+        "no" "yes;no")
+
+if(WOLFSSL_HPKE)
+    if(NOT WOLFSSL_ECC)
+        message(FATAL_ERROR "HPKE supported only with ECC (WOLFSSL_ECC)")
+    endif()
+    list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_HPKE")
+    override_cache(WOLFSSL_HKDF "yes")
+endif()
+
+if(WOLFSSL_ECH)
+    if(NOT WOLFSSL_HPKE)
+        message(FATAL_ERROR "ECH supported only with HPKE (WOLFSSL_HPKE)")
+    endif()
+    if(NOT WOLFSSL_SNI)
+        message(FATAL_ERROR "ECH supported only with SNI (WOLFSSL_SNI)")
+    endif()
+    list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_ECH")
+endif()
+
+if(WOLFSSL_KEYING_MATERIAL)
+    list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_KEYING_MATERIAL")
+endif()
 
 if(WOLFSSL_KEYGEN)
     list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_KEY_GEN")
diff --git a/cmake/functions.cmake b/cmake/functions.cmake
index 87839d1bc..e77991ea1 100644
--- a/cmake/functions.cmake
+++ b/cmake/functions.cmake
@@ -304,6 +304,9 @@ function(generate_build_flags)
     if(WOLFSSL_CAAM)
         set(BUILD_CAAM "yes" PARENT_SCOPE)
     endif()
+    if(WOLFSSL_HPKE OR WOLFSSL_USER_SETTINGS)
+        set(BUILD_HPKE "yes" PARENT_SCOPE)
+    endif()
 
     set(BUILD_FLAGS_GENERATED "yes" PARENT_SCOPE)
 endfunction()
@@ -910,6 +913,10 @@ function(generate_lib_src_list LIB_SOURCES)
             wolfcrypt/src/port/caam/wolfcaam_hmac.c)
     endif()
 
+    if(BUILD_HPKE)
+         list(APPEND LIB_SOURCES wolfcrypt/src/hpke.c)
+    endif()
+
     set(LIB_SOURCES ${LIB_SOURCES} PARENT_SCOPE)
 endfunction()
 
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index d19a044fa..d9057d621 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -23255,10 +23255,10 @@ static wc_test_ret_t hpke_test_single(Hpke* hpke)
     void* receiverKey = NULL;
     void* ephemeralKey = NULL;
 #ifdef WOLFSSL_SMALL_STACK
-    uint8_t *pubKey = NULL; /* public key */
+    byte *pubKey = NULL; /* public key */
     word16 pubKeySz = (word16)HPKE_Npk_MAX;
 #else
-    uint8_t pubKey[HPKE_Npk_MAX]; /* public key */
+    byte pubKey[HPKE_Npk_MAX]; /* public key */
     word16 pubKeySz = (word16)sizeof(pubKey);
 #endif
 
@@ -23269,7 +23269,7 @@ static wc_test_ret_t hpke_test_single(Hpke* hpke)
 
 #ifdef WOLFSSL_SMALL_STACK
     if (ret == 0) {
-        pubKey = (uint8_t *)XMALLOC(pubKeySz, HEAP_HINT,
+        pubKey = (byte *)XMALLOC(pubKeySz, HEAP_HINT,
                                     DYNAMIC_TYPE_TMP_BUFFER);
         if (pubKey == NULL)
             ret = MEMORY_E;