kex: Implement remaining hybrid ML-KEM methods

This builds on top of a9c8f94. The pure ML-KEM
code is now separated from the hybrid parts,
with the hybrid implementation generalized to
support NIST curves.

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>

include/libssh/crypto.h

@@ -50,9 +50,6 @@
 #include "libssh/ecdh.h"
 #include "libssh/kex.h"
 #include "libssh/sntrup761.h"
-#ifdef HAVE_MLKEM
-#include "libssh/mlkem768.h"
-#endif
 
 #define DIGEST_MAX_LEN 64
 
@@ -93,6 +90,10 @@ enum ssh_key_exchange_e {
 #ifdef HAVE_MLKEM
     /* mlkem768x25519-sha256 */
     SSH_KEX_MLKEM768X25519_SHA256,
+    /* mlkem768nistp256-sha256 */
+    SSH_KEX_MLKEM768NISTP256_SHA256,
+    /* mlkem1024nistp384-sha384 */
+    SSH_KEX_MLKEM1024NISTP384_SHA384,
 #endif /* HAVE_MLKEM */
 };
 
@@ -117,6 +118,9 @@ struct dh_ctx;
 
 struct ssh_crypto_struct {
     bignum shared_secret;
+    ssh_string hybrid_client_init;
+    ssh_string hybrid_server_reply;
+    ssh_string hybrid_shared_secret;
     struct dh_ctx *dh_ctx;
 #ifdef WITH_GEX
     size_t dh_pmin; size_t dh_pn; size_t dh_pmax; /* preferred group parameters */
@@ -148,9 +152,9 @@ struct ssh_crypto_struct {
     ssh_curve25519_pubkey curve25519_server_pubkey;
 #endif
 #ifdef HAVE_MLKEM
-    ssh_mlkem768_privkey mlkem768_client_privkey;
-    ssh_mlkem768_pubkey mlkem768_client_pubkey;
-    ssh_mlkem768_ciphertext mlkem768_ciphertext;
+    EVP_PKEY *mlkem_privkey;
+    ssh_string mlkem_client_pubkey;
+    ssh_string mlkem_ciphertext;
 #endif
 #ifdef HAVE_SNTRUP761
     ssh_sntrup761_privkey sntrup761_privkey;

include/libssh/hybrid_mlkem.h

@@ -0,0 +1,48 @@
+/*
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2025 by Red Hat, Inc.
+ *
+ * Author: Sahana Prasad <sahana@redhat.com>
+ * Author: Pavol Žáčik <pzacik@redhat.com>
+ * Author: Claude (Anthropic)
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef HYBRID_MLKEM_H_
+#define HYBRID_MLKEM_H_
+
+#include "libssh/mlkem.h"
+#include "libssh/wrapper.h"
+
+#include "config.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int ssh_client_hybrid_mlkem_init(ssh_session session);
+void ssh_client_hybrid_mlkem_remove_callbacks(ssh_session session);
+
+#ifdef WITH_SERVER
+void ssh_server_hybrid_mlkem_init(ssh_session session);
+#endif /* WITH_SERVER */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* HYBRID_MLKEM_H_ */

include/libssh/mlkem.h

@@ -0,0 +1,64 @@
+/*
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2025 by Red Hat, Inc.
+ *
+ * Author: Pavol Žáčik <pzacik@redhat.com>
+ *
+ * The SSH Library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, version 2.1 of the License.
+ *
+ * The SSH Library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the SSH Library; see the file COPYING.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#ifndef MLKEM_H_
+#define MLKEM_H_
+
+#include "libssh/crypto.h"
+#include "libssh/libssh.h"
+#include "libssh/session.h"
+
+#include "config.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct mlkem_type_info {
+    size_t pubkey_size;
+    size_t ciphertext_size;
+    const char *name;
+};
+
+extern const struct mlkem_type_info MLKEM768_INFO;
+extern const struct mlkem_type_info MLKEM1024_INFO;
+
+#define MLKEM_SHARED_SECRET_SIZE 32
+
+typedef unsigned char ssh_mlkem_shared_secret[MLKEM_SHARED_SECRET_SIZE];
+
+const struct mlkem_type_info *
+kex_type_to_mlkem_info(enum ssh_key_exchange_e kex_type);
+
+int ssh_mlkem_init(ssh_session session);
+
+int ssh_mlkem_encapsulate(ssh_session session,
+                          ssh_mlkem_shared_secret shared_secret);
+
+int ssh_mlkem_decapsulate(const ssh_session session,
+                          ssh_mlkem_shared_secret shared_secret);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MLKEM_H_ */

include/libssh/mlkem768.h

@@ -1,63 +0,0 @@
-/*
- * This file is part of the SSH Library
- *
- * Copyright (c) 2025 by Red Hat, Inc.
- *
- * Author: Sahana Prasad <sahana@redhat.com>
- * Author: Claude (Anthropic)
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- */
-
-#ifndef MLKEM768_H_
-#define MLKEM768_H_
-
-#include "config.h"
-
-/* ML-KEM768 key and ciphertext sizes as defined in FIPS 203 */
-#define MLKEM768_PUBLICKEY_SIZE   1184
-#define MLKEM768_SECRETKEY_SIZE   2400
-#define MLKEM768_CIPHERTEXT_SIZE  1088
-#define MLKEM768_SHARED_SECRET_SIZE 32
-
-/* Hybrid ML-KEM768x25519 combined sizes */
-#define MLKEM768X25519_CLIENT_PUBKEY_SIZE \
-    (MLKEM768_PUBLICKEY_SIZE + CURVE25519_PUBKEY_SIZE)
-#define MLKEM768X25519_SERVER_RESPONSE_SIZE \
-    (MLKEM768_CIPHERTEXT_SIZE + CURVE25519_PUBKEY_SIZE)
-#define MLKEM768X25519_SHARED_SECRET_SIZE \
-    (MLKEM768_SHARED_SECRET_SIZE + CURVE25519_PUBKEY_SIZE)
-
-typedef unsigned char ssh_mlkem768_pubkey[MLKEM768_PUBLICKEY_SIZE];
-typedef unsigned char ssh_mlkem768_privkey[MLKEM768_SECRETKEY_SIZE];
-typedef unsigned char ssh_mlkem768_ciphertext[MLKEM768_CIPHERTEXT_SIZE];
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* ML-KEM768x25519 key exchange functions */
-int ssh_client_mlkem768x25519_init(ssh_session session);
-void ssh_client_mlkem768x25519_remove_callbacks(ssh_session session);
-
-#ifdef WITH_SERVER
-void ssh_server_mlkem768x25519_init(ssh_session session);
-#endif /* WITH_SERVER */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MLKEM768_H_ */