Add mlkem768x25519 Kex as per draft-kampanakis-curdle-ssh-pq-ke

Makefile.in

@@ -65,7 +65,7 @@ _CLISVROBJS=common-session.o packet.o common-algo.o common-kex.o \
 		tcp-accept.o listener.o process-packet.o dh_groups.o \
 		common-runopts.o circbuffer.o list.o netio.o chachapoly.o gcm.o \
 		kex-x25519.o kex-dh.o kex-ecdh.o kex-pqhybrid.o \
-		sntrup761.o
+		sntrup761.o mlkem768.o
 CLISVROBJS = $(patsubst %,$(OBJ_DIR)/%,$(_CLISVROBJS))
 
 _KEYOBJS=dropbearkey.o

src/common-algo.c

@@ -34,6 +34,7 @@
 #include "chachapoly.h"
 #include "ssh.h"
 #include "sntrup761.h"
+#include "mlkem768.h"
 
 /* This file (algo.c) organises the ciphers which can be used, and is used to
  * decide which ciphers/hashes/compression/signing to use during key exchange*/
@@ -270,6 +271,18 @@ static const struct dropbear_kex kex_ecdh_nistp521 = {DROPBEAR_KEX_ECDH, NULL, 0
 static const struct dropbear_kex kex_curve25519 = {DROPBEAR_KEX_CURVE25519, NULL, 0, NULL, &sha256_desc };
 #endif
 
+#if DROPBEAR_MLKEM768
+static const struct dropbear_kem_desc mlkem768_desc = {
+	.public_len = crypto_kem_mlkem768_PUBLICKEYBYTES,
+	.secret_len = crypto_kem_mlkem768_SECRETKEYBYTES,
+	.ciphertext_len = crypto_kem_mlkem768_CIPHERTEXTBYTES,
+	.output_len = crypto_kem_mlkem768_BYTES,
+	.kem_gen = crypto_kem_mlkem768_keypair,
+	.kem_enc = crypto_kem_mlkem768_enc,
+	.kem_dec = crypto_kem_mlkem768_dec,
+};
+static const struct dropbear_kex kex_mlkem768 = {DROPBEAR_KEX_PQHYBRID, NULL, 0, &mlkem768_desc, &sha256_desc };
+#endif
 
 #if DROPBEAR_SNTRUP761
 static const struct dropbear_kem_desc sntrup761_desc = {
@@ -292,6 +305,9 @@ volatile int64_t crypto_int64_optblocker = 0;
 
 /* data == NULL for non-kex algorithm identifiers */
 algo_type sshkex[] = {
+#if DROPBEAR_MLKEM768
+	{"mlkem768x25519-sha256", 0, &kex_mlkem768, 1, NULL},
+#endif
 #if DROPBEAR_SNTRUP761
 	{"sntrup761x25519-sha512", 0, &kex_sntrup761, 1, NULL},
 	{"[email protected]", 0, &kex_sntrup761, 1, NULL},

src/default_options.h

@@ -185,6 +185,7 @@ IMPORTANT: Some options will require "make clean" after changes */
  * curve25519 - elliptic curve DH
  * ecdh - NIST elliptic curve DH (256, 384, 521)
  * sntrup761 - post-quantum hybrid with x25519.
+ * mlkem768 - post-quantum hybrid with x25519.
  *
  * group1 is too small for security though is necessary if you need
      compatibility with some implementations such as Dropbear versions < 0.53
@@ -198,6 +199,8 @@ IMPORTANT: Some options will require "make clean" after changes */
  * by future quantum computers.
  * It is fast, but adds ~9kB code size (32-bit armv7)
 
+ * mlkem768 is also recommended to avoid possible decryption
+ * by future quantum computers.
  * Small systems should generally include either curve25519 or ecdh for performance.
  * curve25519 is less widely supported but is faster
  */
@@ -206,6 +209,7 @@ IMPORTANT: Some options will require "make clean" after changes */
 #define DROPBEAR_DH_GROUP16 0
 #define DROPBEAR_CURVE25519 1
 #define DROPBEAR_SNTRUP761 1
+#define DROPBEAR_MLKEM768 1
 #define DROPBEAR_ECDH 1
 #define DROPBEAR_DH_GROUP1 0