Add ML-KEM with Curve25519 and NISTp384

1. Reorganize the KEX test to allow for testing any KEX algorithm. Add test
   cases for the new algorithms to the KEX test.
2. Reorder the cannedKexAlgoNames with the ML-KEM algos first.
3. Add the new algos to wolfSSH_GetText().
4. Add comments and whitespace cleanup.

Author: ejohnstown

src/internal.c

@@ -146,8 +146,14 @@
     Set when ECC or SHA2-512 are disabled. Set to disable use of ECDSA server
     authentication with prime NISTP521.
   WOLFSSH_NO_NISTP256_MLKEM768_SHA256
-    Set when ML-KEM is disabled in wolfssl. Set to disable use of ECDHE with
-    prime NISTP256 hybridized with post-quantum ML-KEM 768.
+    Set when ML-KEM, ECC, or SHA2-256 are disabled in wolfssl. Set to disable
+    use of ECDHE with prime NISTP256 hybridized with post-quantum ML-KEM 768.
+  WOLFSSH_NO_NISTP384_MLKEM1024_SHA384
+    Set when ML-KEM, ECC, or SHA2-384 are disabled in wolfssl. Set to disable
+    use of ECDHE with prime NISTP384 hybridized with post-quantum ML-KEM 1024.
+  WOLFSSH_NO_CURVE25519_MLKEM768_SHA256
+    Set when ML-KEM, Curve25519, or SHA2-256 are disabled in wolfssl. Set to
+    disable use of Curve25519 hybridized with post-quantum ML-KEM 768.
   WOLFSSH_NO_AES_CBC_SOFT_DISABLE
     AES-CBC is normally soft-disabled. The default configuration will not
     advertise the availability of AES-CBC algorithms during KEX. AES-CBC
@@ -847,14 +853,14 @@ int wolfSSH_TestIsMessageAllowed(WOLFSSH* ssh, byte msg, byte state)
 
 
 static const char cannedKexAlgoNames[] =
-#if !defined(WOLFSSH_NO_NISTP256_MLKEM768_SHA256)
-    "mlkem768nistp256-sha256,"
+#if !defined(WOLFSSH_NO_CURVE25519_MLKEM768_SHA256)
+    "mlkem768x25519-sha256,"
 #endif
 #if !defined(WOLFSSH_NO_NISTP384_MLKEM1024_SHA384)
     "mlkem1024nistp384-sha384,"
 #endif
-#if !defined(WOLFSSH_NO_CURVE25519_MLKEM768_SHA256)
-    "mlkem768x25519-sha256,"
+#if !defined(WOLFSSH_NO_NISTP256_MLKEM768_SHA256)
+    "mlkem768nistp256-sha256,"
 #endif
 #ifndef WOLFSSH_NO_CURVE25519_SHA256
     "curve25519-sha256,"

src/ssh.c

@@ -3199,7 +3199,22 @@ size_t wolfSSH_GetText(WOLFSSH *ssh, WS_Text id, char *str, size_t strSz)
 
             #ifndef WOLFSSH_NO_NISTP256_MLKEM768_SHA256
                 case ID_NISTP256_MLKEM768_SHA256:
-                    ret = WSNPRINTF(str, strSz, "%s", "ECDH-MLKEM768");
+                    ret = WSNPRINTF(str, strSz, "%s",
+                            "ECDH-NISTP256-MLKEM768");
+                    break;
+            #endif
+
+            #ifndef WOLFSSH_NO_NISTP384_MLKEM1024_SHA384
+                case ID_NISTP384_MLKEM1024_SHA384:
+                    ret = WSNPRINTF(str, strSz, "%s",
+                            "ECDH-NISTP384-MLKEM1024");
+                    break;
+            #endif
+
+            #ifndef WOLFSSH_NO_CURVE25519_MLKEM768_SHA256
+                case ID_CURVE25519_MLKEM768_SHA256:
+                    ret = WSNPRINTF(str, strSz, "%s",
+                            "ECDH-CURVE25519-MLKEM768");
                     break;
             #endif
 

tests/kex.c

@@ -138,9 +138,12 @@
 
 
 #if !defined(NO_WOLFSSH_SERVER) && !defined(NO_WOLFSSH_CLIENT) && \
-    !defined(SINGLE_THREADED) && !defined(WOLFSSH_TEST_BLOCK) && \
-    !defined(WOLFSSH_NO_DH_GROUP16_SHA512) && !defined(WOLFSSH_NO_HMAC_SHA2_512)
+    !defined(SINGLE_THREADED) && !defined(WOLFSSH_TEST_BLOCK)
 
+    #define KEXTEST_AVAILABLE
+#endif
+
+#ifdef KEXTEST_AVAILABLE
 static int tsClientUserAuth(byte authType, WS_UserAuthData* authData, void* ctx)
 {
     static char password[] = "upthehill";
@@ -163,7 +166,7 @@ static int tsClientUserAuth(byte authType, WS_UserAuthData* authData, void* ctx)
 #define NUMARGS 12
 #define ARGLEN 32
 
-/* 
+/*
  * Macro: ADD_ARG
  * Purpose: Adds a string argument to the argument list.
  * Parameters:
@@ -185,7 +188,7 @@ static int tsClientUserAuth(byte authType, WS_UserAuthData* authData, void* ctx)
         WSTRNCPY((argList)[(argListCount)++], (arg), ARGLEN); \
 } while (0)
 
-/* 
+/*
  * Macro: ADD_ARG_INT
  * Purpose: Adds an integer argument to the argument list as a string.
  * Parameters:
@@ -209,7 +212,7 @@ static int tsClientUserAuth(byte authType, WS_UserAuthData* authData, void* ctx)
 } while (0)
 
 
-static int wolfSSH_wolfSSH_Group16_512(void)
+static int wolfSSH_KexTest_Connect(const char* kex)
 {
     tcp_ready ready;
     THREAD_TYPE serverThread;
@@ -226,27 +229,6 @@ static int wolfSSH_wolfSSH_Group16_512(void)
     int serverArgc = 0;
     int clientArgc = 0;
 
-    WSTARTTCP();
-
-    #if defined(DEBUG_WOLFSSH)
-        wolfSSH_Debugging_ON();
-    #endif
-
-    wolfSSH_Init();
-
-    #if defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,2)
-    {
-        int i;
-        for (i = 0; i < FIPS_CAST_COUNT; i++) {
-            wc_RunCast_fips(i);
-        }
-    }
-    #endif /* HAVE_FIPS */
-
-    #if !defined(WOLFSSL_TIRTOS)
-        ChangeToWolfSshRoot();
-    #endif
-
     InitTcpReady(&ready);
 
     ADD_ARG(serverArgv, serverArgc, "echoserver");
@@ -257,7 +239,7 @@ static int wolfSSH_wolfSSH_Group16_512(void)
         ADD_ARG(serverArgv, serverArgc, "-0");
     #endif
     ADD_ARG(serverArgv, serverArgc, "-x");
-    ADD_ARG(serverArgv, serverArgc, "diffie-hellman-group16-sha512");
+    ADD_ARG(serverArgv, serverArgc, kex);
     ADD_ARG(serverArgv, serverArgc, "-m");
     ADD_ARG(serverArgv, serverArgc, "hmac-sha2-512");
     ADD_ARG(serverArgv, serverArgc, "-c");
@@ -318,18 +300,27 @@ static int wolfSSH_wolfSSH_Group16_512(void)
     return EXIT_SUCCESS;
 }
 
-#endif
+#endif /* KEXTEST_AVAILABLE */
 
 int wolfSSH_KexTest(int argc, char** argv)
 {
     (void)argc;
     (void)argv;
 
 
-#if defined(NO_WOLFSSH_SERVER) || defined(NO_WOLFSSH_CLIENT) || \
-    defined(SINGLE_THREADED) || defined(WOLFSSH_TEST_BLOCK)
+#if !defined(KEXTEST_AVAILABLE)
     return 77;
 #else
+    WSTARTTCP();
+
+    #if defined(DEBUG_WOLFSSH)
+        wolfSSH_Debugging_ON();
+    #endif
+
+    #if !defined(WOLFSSL_TIRTOS)
+        ChangeToWolfSshRoot();
+    #endif
+
     AssertIntEQ(wolfSSH_Init(), WS_SUCCESS);
 
     #if defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,2)
@@ -341,14 +332,23 @@ int wolfSSH_KexTest(int argc, char** argv)
     }
     #endif /* HAVE_FIPS */
 
-#if !defined(WOLFSSH_NO_DH_GROUP16_SHA512) && !defined(WOLFSSH_NO_HMAC_SHA2_512)
-    wolfSSH_wolfSSH_Group16_512();
+#if !defined(WOLFSSH_NO_DH_GROUP16_SHA512)
+    AssertIntEQ(wolfSSH_KexTest_Connect("diffie-hellman-group16-sha512"),
+            EXIT_SUCCESS);
+#endif
+#if !defined(WOLFSSH_NO_CURVE25519_MLKEM768_SHA256)
+    AssertIntEQ(wolfSSH_KexTest_Connect("mlkem768x25519-sha256"),
+            EXIT_SUCCESS);
+#endif
+#if !defined(WOLFSSH_NO_NISTP384_MLKEM1024_SHA384)
+    AssertIntEQ(wolfSSH_KexTest_Connect("mlkem1024nistp384-sha384"),
+            EXIT_SUCCESS);
 #endif
 
     AssertIntEQ(wolfSSH_Cleanup(), WS_SUCCESS);
 
     return 0;
-#endif
+#endif /* KEXTEST_AVAILABLE */
 }