Native ML-KEM768 implementation

for cryptographic backends that do not have support for ML-KEM (old OpenSSL and Gcrypt; MbedTLS). Based on the libcrux implementation used in OpenSSH, taken from this revision: https://github.com/openssh/openssh-portable/blob/6aba700/libcrux_mlkem768_sha3.h But refactored to separate C and header file to support testing and removed unused functions (to make compiler happy). Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
2026-02-10 18:28:10 +09:00 · 2025-12-19 12:00:41 +01:00
parent 9780fa2f01
commit 34db488e4d
27 changed files with 9569 additions and 91 deletions
--- a/tests/external_override/torture_override.c
+++ b/tests/external_override/torture_override.c
@@ -32,6 +32,7 @@
 #include "chacha20_override.h"
 #include "curve25519_override.h"
 #include "ed25519_override.h"
+#include "mlkem768_override.h"
 #include "poly1305_override.h"
 #include "sntrup761_override.h"

@@ -119,6 +120,8 @@ static int session_setup(void **state)
    reset_poly1305_function_called();
    reset_curve25519_function_called();
    reset_ed25519_function_called();
+    reset_sntrup761_function_called();
+    reset_mlkem768_function_called();

    return 0;
 }
@@ -324,6 +327,64 @@ torture_override_ecdh_sntrup761x25519_sha512(void **state)
 }
 #endif /* OPENSSH_SNTRUP761X25519_SHA512 */

+#ifdef OPENSSH_MLKEM768X25519_SHA256
+static void torture_override_mlkem768x25519_sha256(void **state)
+{
+    struct torture_state *s = *state;
+    bool internal_curve25519_called;
+    bool internal_mlkem768_called;
+
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
+    test_algorithm(s->ssh.session,
+                   "mlkem768x25519-sha256",
+                   NULL, /* cipher */
+                   NULL  /* hostkey */);
+
+    internal_curve25519_called = internal_curve25519_function_called();
+    internal_mlkem768_called = internal_mlkem768_function_called();
+
+#if SHOULD_CALL_INTERNAL_MLKEM
+    assert_true(internal_mlkem768_called);
+#else
+    assert_false(internal_mlkem768_called);
+#endif
+
+#if SHOULD_CALL_INTERNAL_CURVE25519
+    assert_true(internal_curve25519_called);
+#else
+    assert_false(internal_curve25519_called);
+#endif
+}
+#endif /* OPENSSH_MLKEM768X25519_SHA256 */
+
+#ifdef OPENSSH_MLKEM768NISTP256_SHA256
+static void torture_override_mlkem768nistp256_sha256(void **state)
+{
+    struct torture_state *s = *state;
+    bool internal_mlkem768_called;
+
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
+    test_algorithm(s->ssh.session,
+                   "mlkem768nistp256-sha256",
+                   NULL, /* cipher */
+                   NULL  /* hostkey */);
+
+    internal_mlkem768_called = internal_mlkem768_function_called();
+
+#if SHOULD_CALL_INTERNAL_MLKEM
+    assert_true(internal_mlkem768_called);
+#else
+    assert_false(internal_mlkem768_called);
+#endif
+}
+#endif /* OPENSSH_MLKEM768NISTP256_SHA256 */
+
 #ifdef OPENSSH_SSH_ED25519
 static void torture_override_ed25519(void **state)
 {
@@ -378,6 +439,16 @@ int torture_run_tests(void)
                                        session_setup,
                                        session_teardown),
 #endif /* OPENSSH_SNTRUP761X25519_SHA512 */
+#ifdef OPENSSH_MLKEM768X25519_SHA256
+        cmocka_unit_test_setup_teardown(torture_override_mlkem768x25519_sha256,
+                                        session_setup,
+                                        session_teardown),
+#endif /* OPENSSH_MLKEM768X25519_SHA256 */
+#ifdef OPENSSH_MLKEM768NISTP256_SHA256
+        cmocka_unit_test_setup_teardown(torture_override_mlkem768nistp256_sha256,
+                                        session_setup,
+                                        session_teardown),
+#endif /* OPENSSH_MLKEM768NISTP256_SHA256 */
 #ifdef OPENSSH_SSH_ED25519
        cmocka_unit_test_setup_teardown(torture_override_ed25519,
                                        session_setup,