ML-KEM/Kyber: improvements

ML-KEM/Kyber:
  MakeKey call generate random once only for all data.
  Allow MakeKey/Encapsulate/Decapsulate to be compiled separately.
  Pull out public key decoding common to public and private key decode.
Put references to FIPS 140-3 into code. Rename variables to match FIPS
140-3.
  Fix InvNTT assembly code for x64 - more reductions.
  Split out ML-KEM/Kyber tests from api.c.

TLSX:
Store the object instead of the private key when WOLFSSL_MLKEM_CACHE_A
is defined or WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ. Faster decapsulation
when A is cached and object stored.
To store private key as normal define
WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY.

misc.c: when Intel x64 build, assume able to read/write unaligned

tests/api/include.am

@@ -13,6 +13,7 @@ tests_unit_test_SOURCES += tests/api/test_sm3.c
 tests_unit_test_SOURCES += tests/api/test_ripemd.c
 tests_unit_test_SOURCES += tests/api/test_hash.c
 tests_unit_test_SOURCES += tests/api/test_ascon.c
+tests_unit_test_SOURCES += tests/api/test_mlkem.c
 tests_unit_test_SOURCES += tests/api/test_dtls.c
 tests_unit_test_SOURCES += tests/api/test_ocsp.c
 endif
@@ -29,6 +30,7 @@ EXTRA_DIST += tests/api/test_hash.h
 EXTRA_DIST += tests/api/test_ascon.h
 EXTRA_DIST += tests/api/test_ascon.h
 EXTRA_DIST += tests/api/test_ascon_kats.h
+EXTRA_DIST += tests/api/test_mlkem.h
 EXTRA_DIST += tests/api/test_dtls.h
 EXTRA_DIST += tests/api/test_ocsp.h
 EXTRA_DIST += tests/api/test_ocsp_test_blobs.h

tests/api/test_mlkem.h

@@ -0,0 +1,29 @@
+/* test_mlkem.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WOLFCRYPT_TEST_MLKEM_H
+#define WOLFCRYPT_TEST_MLKEM_H
+
+int test_wc_mlkem_make_key_kats(void);
+int test_wc_mlkem_encapsulate_kats(void);
+int test_wc_mlkem_decapsulate_kats(void);
+
+#endif /* WOLFCRYPT_TEST_MLKEM_H */

tests/suites.c

@@ -168,7 +168,7 @@ static int IsValidCipherSuite(const char* line, char *suite, size_t suite_spc)
     return valid;
 }
 
-#ifdef WOLFSSL_HAVE_KYBER
+#if defined(WOLFSSL_HAVE_KYBER)
 static int IsKyberLevelAvailable(const char* line)
 {
     int available = 0;
@@ -222,7 +222,14 @@ static int IsKyberLevelAvailable(const char* line)
     #endif
     }
 
+#if defined(WOLFSSL_KYBER_NO_MAKE_KEY) || \
+    defined(WOLFSSL_KYBER_NO_ENCAPSULATE) || \
+    defined(WOLFSSL_KYBER_NO_DECAPSULATE)
+    (void)available;
+    return begin == NULL;
+#else
     return (begin == NULL) || available;
+#endif
 }
 #endif
 

tests/unit.c

@@ -192,13 +192,20 @@ int unit_test(int argc, char** argv)
         else if (XSTRCMP(argv[1], "--no-api") == 0) {
             apiTesting = 0;
         }
-        else if (argv[1][1] >= '0' && argv[1][1] <= '9') {
+        else if (argv[1][0] == '-' && argv[1][1] >= '0' && argv[1][1] <= '9') {
             ret = ApiTest_RunIdx(atoi(argv[1] + 1));
             if (ret != 0) {
                 goto exit;
             }
             allTesting = 0;
         }
+        else if (argv[1][0] == '-' && argv[1][1] == '~') {
+            ret = ApiTest_RunPartName(argv[1] + 2);
+            if (ret != 0) {
+                goto exit;
+            }
+            allTesting = 0;
+        }
         else {
             ret = ApiTest_RunName(argv[1] + 1);
             if (ret != 0) {

tests/unit.h

@@ -414,6 +414,7 @@ int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb,
 
 void ApiTest_PrintTestCases(void);
 int ApiTest_RunIdx(int idx);
+int ApiTest_RunPartName(char* name);
 int ApiTest_RunName(char* name);
 int ApiTest(void);