7 files changed, 348 insertions, 26 deletions

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 0d3dcf78af..22469ce346 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.169 2025/03/09 15:53:36 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.170 2025/12/04 21:03:42 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1195,7 +1195,7 @@ ssl3_get_server_kex_dhe(SSL *s, CBS *cbs)
                 }
                 goto err;
         }
-        if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
+        if (!tls_key_share_client_peer_public(s->s3->hs.key_share, cbs,
             &decode_error, &invalid_key)) {
                 if (decode_error) {
                         SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
@@ -1264,7 +1264,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs)
         if ((s->s3->hs.key_share = tls_key_share_new(group_id)) == NULL)
                 goto err;
 
-        if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
+        if (!tls_key_share_client_peer_public(s->s3->hs.key_share, &public,
             &decode_error, NULL)) {
                 if (decode_error)
                         goto decode_err;
@@ -1859,7 +1859,7 @@ ssl3_send_client_kex_dhe(SSL *s, CBB *cbb)
                 goto err;
         }
 
-        if (!tls_key_share_generate(s->s3->hs.key_share))
+        if (!tls_key_share_client_generate(s->s3->hs.key_share))
                 goto err;
         if (!tls_key_share_public(s->s3->hs.key_share, cbb))
                 goto err;
@@ -1898,7 +1898,7 @@ ssl3_send_client_kex_ecdhe(SSL *s, CBB *cbb)
                 goto err;
         }
 
-        if (!tls_key_share_generate(s->s3->hs.key_share))
+        if (!tls_key_share_client_generate(s->s3->hs.key_share))
                 goto err;
 
         if (!CBB_add_u8_length_prefixed(cbb, &public))
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index db4ba38b51..ef93e283de 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.166 2025/03/09 15:53:36 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.167 2025/12/04 21:03:42 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1357,7 +1357,7 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
                         goto err;
         }
 
-        if (!tls_key_share_generate(s->s3->hs.key_share))
+        if (!tls_key_share_server_generate(s->s3->hs.key_share))
                 goto err;
 
         if (!tls_key_share_params(s->s3->hs.key_share, cbb))
@@ -1393,7 +1393,7 @@ ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
         if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
                 goto err;
 
-        if (!tls_key_share_generate(s->s3->hs.key_share))
+        if (!tls_key_share_server_generate(s->s3->hs.key_share))
                 goto err;
 
         /*
@@ -1744,7 +1744,7 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
                 goto err;
         }
 
-        if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
+        if (!tls_key_share_server_peer_public(s->s3->hs.key_share, cbs,
             &decode_error, &invalid_key)) {
                 if (decode_error) {
                         SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
@@ -1792,7 +1792,7 @@ ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
                 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
                 goto err;
         }
-        if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
+        if (!tls_key_share_server_peer_public(s->s3->hs.key_share, &public,
             &decode_error, NULL)) {
                 if (decode_error) {
                         SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 12ede899e8..dcd9a31205 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.157 2025/10/16 14:42:21 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.158 2025/12/04 21:03:42 beck Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1523,7 +1523,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                         *alert = SSL_AD_INTERNAL_ERROR;
                         return 0;
                 }
-                if (!tls_key_share_peer_public(s->s3->hs.key_share,
+                if (!tls_key_share_server_peer_public(s->s3->hs.key_share,
                     &key_exchange, &decode_error, NULL)) {
                         if (!decode_error)
                                 *alert = SSL_AD_INTERNAL_ERROR;
@@ -1614,7 +1614,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                         *alert = SSL_AD_INTERNAL_ERROR;
                         return 0;
                 }
-                if (!tls_key_share_peer_public(s->s3->hs.key_share,
+                if (!tls_key_share_server_peer_public(s->s3->hs.key_share,
                     &key_exchange, &decode_error, NULL)) {
                         if (!decode_error)
                                 *alert = SSL_AD_INTERNAL_ERROR;
@@ -1691,7 +1691,7 @@ tlsext_keyshare_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                 *alert = SSL_AD_INTERNAL_ERROR;
                 return 0;
         }
-        if (!tls_key_share_peer_public(s->s3->hs.key_share,
+        if (!tls_key_share_client_peer_public(s->s3->hs.key_share,
             &key_exchange, &decode_error, NULL)) {
                 if (!decode_error)
                         *alert = SSL_AD_INTERNAL_ERROR;
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 901b38f860..b0a285694d 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.104 2024/07/22 14:47:15 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.105 2025/12/04 21:03:42 beck Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -53,7 +53,7 @@ tls13_client_init(struct tls13_ctx *ctx)
                 return 0;
         if ((ctx->hs->key_share = tls_key_share_new(groups[0])) == NULL)
                 return 0;
-        if (!tls_key_share_generate(ctx->hs->key_share))
+        if (!tls_key_share_client_generate(ctx->hs->key_share))
                 return 0;
 
         arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
@@ -450,7 +450,7 @@ tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
         if ((ctx->hs->key_share =
             tls_key_share_new(ctx->hs->tls13.server_group)) == NULL)
                 return 0;
-        if (!tls_key_share_generate(ctx->hs->key_share))
+        if (!tls_key_share_client_generate(ctx->hs->key_share))
                 return 0;
 
         if (!tls13_client_hello_build(ctx, cbb))
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index fa56db9563..604dab4cba 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.111 2025/10/25 12:31:44 tb Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.112 2025/12/04 21:03:42 beck Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -502,7 +502,7 @@ tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 {
         if (ctx->hs->key_share == NULL)
                 return 0;
-        if (!tls_key_share_generate(ctx->hs->key_share))
+        if (!tls_key_share_server_generate(ctx->hs->key_share))
                 return 0;
         if (!tls13_servername_process(ctx))
                 return 0;
diff --git a/src/lib/libssl/tls_internal.h b/src/lib/libssl/tls_internal.h
index 84edde8474..3d8d6aa940 100644
--- a/src/lib/libssl/tls_internal.h
+++ b/src/lib/libssl/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.10 2022/11/10 18:06:37 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.11 2025/12/04 21:03:42 beck Exp $ */
 /*
  * Copyright (c) 2018, 2019, 2021 Joel Sing <jsing@openbsd.org>
  *
@@ -85,12 +85,15 @@ int tls_key_share_nid(struct tls_key_share *ks);
 void tls_key_share_set_key_bits(struct tls_key_share *ks, size_t key_bits);
 int tls_key_share_set_dh_params(struct tls_key_share *ks, DH *dh_params);
 int tls_key_share_peer_pkey(struct tls_key_share *ks, EVP_PKEY *pkey);
-int tls_key_share_generate(struct tls_key_share *ks);
+int tls_key_share_client_generate(struct tls_key_share *ks);
+int tls_key_share_server_generate(struct tls_key_share *ks);
 int tls_key_share_params(struct tls_key_share *ks, CBB *cbb);
 int tls_key_share_public(struct tls_key_share *ks, CBB *cbb);
 int tls_key_share_peer_params(struct tls_key_share *ks, CBS *cbs,
     int *decode_error, int *invalid_params);
-int tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs,
+int tls_key_share_server_peer_public(struct tls_key_share *ks, CBS *cbs,
+    int *decode_error, int *invalid_key);
+int tls_key_share_client_peer_public(struct tls_key_share *ks, CBS *cbs,
     int *decode_error, int *invalid_key);
 int tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
     size_t *shared_key_len);
diff --git a/src/lib/libssl/tls_key_share.c b/src/lib/libssl/tls_key_share.c
index cf7b1da262..3f4c44f558 100644
--- a/src/lib/libssl/tls_key_share.c
+++ b/src/lib/libssl/tls_key_share.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_key_share.c,v 1.8 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: tls_key_share.c,v 1.9 2025/12/04 21:03:42 beck Exp $ */
 /*
  * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
  *
@@ -21,6 +21,7 @@
 #include <openssl/dh.h>
 #include <openssl/ec.h>
 #include <openssl/evp.h>
+#include <openssl/mlkem.h>
 
 #include "bytestring.h"
 #include "ssl_local.h"
@@ -40,6 +41,19 @@ struct tls_key_share {
         uint8_t *x25519_public;
         uint8_t *x25519_private;
         uint8_t *x25519_peer_public;
+
+        uint8_t *mlkem_public;
+        size_t mlkem_public_len;
+        MLKEM_private_key *mlkem_private;
+        MLKEM_public_key *mlkem_peer_public;
+
+        /* The ciphertext from MLKEM_encap. */
+        uint8_t *mlkem_encap;
+        size_t mlkem_encap_len;
+
+        /* The shared secret from an ML-KEM encapsulation. */
+        uint8_t *mlkem_shared_secret;
+        size_t mlkem_shared_secret_len;
 };
 
 static struct tls_key_share *
@@ -96,6 +110,12 @@ tls_key_share_free(struct tls_key_share *ks)
         freezero(ks->x25519_private, X25519_KEY_LENGTH);
         freezero(ks->x25519_peer_public, X25519_KEY_LENGTH);
 
+        freezero(ks->mlkem_public, ks->mlkem_public_len);
+        MLKEM_private_key_free(ks->mlkem_private);
+        MLKEM_public_key_free(ks->mlkem_peer_public);
+        freezero(ks->mlkem_encap, ks->mlkem_encap_len);
+        freezero(ks->mlkem_shared_secret, ks->mlkem_shared_secret_len);
+
         freezero(ks, sizeof(*ks));
 }
 
@@ -230,7 +250,73 @@ tls_key_share_generate_x25519(struct tls_key_share *ks)
         return ret;
 }
 
-int
+static int
+tls_key_share_generate_mlkem(struct tls_key_share *ks, int rank)
+{
+        MLKEM_private_key *private = NULL;
+        uint8_t *public = NULL;
+        size_t p_len = 0;
+        int ret = 0;
+
+        if (ks->mlkem_public != NULL || ks->mlkem_private != NULL)
+                goto err;
+
+        if ((private = MLKEM_private_key_new(rank)) == NULL)
+                goto err;
+
+        if (!MLKEM_generate_key(private, &public, &p_len, NULL, NULL))
+                goto err;
+
+        ks->mlkem_public = public;
+        ks->mlkem_public_len = p_len;
+        ks->mlkem_private = private;
+        public = NULL;
+        private = NULL;
+
+        ret = 1;
+
+ err:
+        freezero(public, p_len);
+        MLKEM_private_key_free(private);
+
+        return ret;
+}
+
+static int
+tls_key_share_client_generate_mlkem768x25519(struct tls_key_share *ks)
+{
+        if (!tls_key_share_generate_mlkem(ks, RANK768))
+                return 0;
+
+        if (!tls_key_share_generate_x25519(ks))
+                return 0;
+
+        return 1;
+}
+
+static int
+tls_key_share_server_generate_mlkem768x25519(struct tls_key_share *ks)
+{
+        if (ks->mlkem_private != NULL)
+                return 0;
+
+        /* The server side needs the client's parsed share */
+
+        if (ks->x25519_peer_public == NULL)
+                return 0;
+
+        if (ks->mlkem_peer_public == NULL)
+                return 0;
+
+        if (!tls_key_share_generate_x25519(ks))
+                return 0;
+
+        return MLKEM_encap(ks->mlkem_peer_public, &ks->mlkem_encap,
+            &ks->mlkem_encap_len, &ks->mlkem_shared_secret,
+            &ks->mlkem_shared_secret_len);
+}
+
+static int
 tls_key_share_generate(struct tls_key_share *ks)
 {
         if (ks->nid == NID_dhKeyAgreement)
@@ -242,6 +328,24 @@ tls_key_share_generate(struct tls_key_share *ks)
         return tls_key_share_generate_ecdhe_ecp(ks);
 }
 
+int
+tls_key_share_client_generate(struct tls_key_share *ks)
+{
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_client_generate_mlkem768x25519(ks);
+
+        return tls_key_share_generate(ks);
+}
+
+int
+tls_key_share_server_generate(struct tls_key_share *ks)
+{
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_server_generate_mlkem768x25519(ks);
+
+        return tls_key_share_generate(ks);
+}
+
 static int
 tls_key_share_params_dhe(struct tls_key_share *ks, CBB *cbb)
 {
@@ -287,6 +391,47 @@ tls_key_share_public_x25519(struct tls_key_share *ks, CBB *cbb)
         return CBB_add_bytes(cbb, ks->x25519_public, X25519_KEY_LENGTH);
 }
 
+static int
+tls_key_share_public_mlkem768x25519(struct tls_key_share *ks, CBB *cbb)
+{
+        uint8_t *mlkem_part;
+        size_t mlkem_part_len;
+
+        if (ks->x25519_public == NULL)
+                return 0;
+
+        /*
+         * https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
+         * Section 3.1.2:
+         * The server's key exchange value is the concatenation of an
+         * ML-KEM ciphertext returned from encapsulation to the client's
+         * encapsulation key, and the server's ephemeral X25519 share.
+         */
+        mlkem_part = ks->mlkem_encap;
+        mlkem_part_len = ks->mlkem_encap_len;
+
+        /*
+         * https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
+         * Section 3.1.1:
+         * The client's key_exchange value is the concatenation of the
+         * client's ML-KEM-768 encapsulation key and the client's X25519
+         * ephemeral share.
+         */
+        if (mlkem_part == NULL) {
+                mlkem_part = ks->mlkem_public;
+                mlkem_part_len = ks->mlkem_public_len;
+        }
+
+        if (mlkem_part == NULL)
+                return 0;
+
+        if (!CBB_add_bytes(cbb, mlkem_part, mlkem_part_len))
+                return 0;
+
+        /* Both the client and server send their x25519 public keys. */
+        return CBB_add_bytes(cbb, ks->x25519_public, X25519_KEY_LENGTH);
+}
+
 int
 tls_key_share_public(struct tls_key_share *ks, CBB *cbb)
 {
@@ -296,6 +441,9 @@ tls_key_share_public(struct tls_key_share *ks, CBB *cbb)
         if (ks->nid == NID_X25519)
                 return tls_key_share_public_x25519(ks, cbb);
 
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_public_mlkem768x25519(ks, cbb);
+
         return tls_key_share_public_ecdhe_ecp(ks, cbb);
 }
 
@@ -325,7 +473,7 @@ tls_key_share_peer_params(struct tls_key_share *ks, CBS *cbs,
                 return 0;
 
         return tls_key_share_peer_params_dhe(ks, cbs, decode_error,
-             invalid_params);
+            invalid_params);
 }
 
 static int
@@ -383,7 +531,91 @@ tls_key_share_peer_public_x25519(struct tls_key_share *ks, CBS *cbs,
         return CBS_stow(cbs, &ks->x25519_peer_public, &out_len);
 }
 
-int
+static int
+tls_key_share_client_peer_public_mlkem768x25519(struct tls_key_share *ks,
+    CBS *cbs, int *decode_error)
+{
+        CBS x25519_cbs, mlkem_ciphertext_cbs;
+        size_t out_len;
+
+        if (ks->mlkem_shared_secret != NULL)
+                return 0;
+
+        if (ks->mlkem_private == NULL)
+                return 0;
+
+        if (!CBS_get_bytes(cbs, &mlkem_ciphertext_cbs,
+            MLKEM_private_key_ciphertext_length(ks->mlkem_private)))
+                return 0;
+
+        if (!CBS_get_bytes(cbs, &x25519_cbs, X25519_KEY_LENGTH))
+                return 0;
+
+        if (CBS_len(cbs) != 0)
+                return 0;
+
+        if (!CBS_stow(&x25519_cbs, &ks->x25519_peer_public, &out_len))
+                return 0;
+
+        if (!CBS_stow(&mlkem_ciphertext_cbs, &ks->mlkem_encap, &ks->mlkem_encap_len))
+                return 0;
+
+        return 1;
+}
+
+static int
+tls_key_share_server_peer_public_mlkem768x25519(struct tls_key_share *ks,
+    CBS *cbs, int *decode_error)
+{
+        CBS x25519_cbs, mlkem768_cbs;
+        size_t out_len;
+
+        *decode_error = 0;
+
+        /* The server should not have an mlkem private key */
+        if (ks->mlkem_private != NULL)
+                return 0;
+
+        if (ks->mlkem_shared_secret != NULL)
+                return 0;
+
+        if (ks->mlkem_peer_public != NULL)
+                return 0;
+
+        if (ks->x25519_peer_public != NULL)
+                return 0;
+
+        /* Nein, ist nur normal (1024 ist gigantisch) */
+        if ((ks->mlkem_peer_public = MLKEM_public_key_new(RANK768)) == NULL)
+                goto err;
+
+        if (!CBS_get_bytes(cbs, &mlkem768_cbs,
+            MLKEM_public_key_encoded_length(ks->mlkem_peer_public)))
+                goto err;
+
+        if (!CBS_get_bytes(cbs, &x25519_cbs, X25519_KEY_LENGTH))
+                goto err;
+
+        if (CBS_len(cbs) != 0)
+                goto err;
+
+        if (!CBS_stow(&x25519_cbs, &ks->x25519_peer_public, &out_len))
+                goto err;
+
+        /* Poetische */
+        if (!MLKEM_parse_public_key(ks->mlkem_peer_public,
+            CBS_data(&mlkem768_cbs), CBS_len(&mlkem768_cbs)))
+                goto err;
+
+        return 1;
+
+ err:
+        *decode_error = 1;
+
+        return 0;
+}
+
+static int
 tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs, int *decode_error,
     int *invalid_key)
 {
@@ -402,6 +634,30 @@ tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs, int *decode_error,
         return tls_key_share_peer_public_ecdhe_ecp(ks, cbs);
 }
 
+/* Called from client to process a server peer */
+int
+tls_key_share_client_peer_public(struct tls_key_share *ks, CBS *cbs,
+    int *decode_error, int *invalid_key)
+{
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_client_peer_public_mlkem768x25519(ks, cbs,
+                    decode_error);
+
+        return tls_key_share_peer_public(ks, cbs, decode_error, invalid_key);
+}
+
+/* Called from server to process a client peer */
+int
+tls_key_share_server_peer_public(struct tls_key_share *ks, CBS *cbs,
+    int *decode_error, int *invalid_key)
+{
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_server_peer_public_mlkem768x25519(ks, cbs,
+                    decode_error);
+
+        return tls_key_share_peer_public(ks, cbs, decode_error, invalid_key);
+}
+
 static int
 tls_key_share_derive_dhe(struct tls_key_share *ks,
     uint8_t **shared_key, size_t *shared_key_len)
@@ -451,6 +707,65 @@ tls_key_share_derive_x25519(struct tls_key_share *ks,
         return ret;
 }
 
+/*
+ * https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
+ * Section 3.1.3:
+ * For X25519MLKEM768, the shared secret is the concatenation of the ML-KEM
+ * shared secret and the X25519 shared secret.
+ */
+static int
+tls_key_share_derive_mlkem768x25519(struct tls_key_share *ks,
+    uint8_t **out_shared_key, size_t *out_shared_key_len)
+{
+        uint8_t *x25519_shared_key;
+        CBB cbb;
+
+        memset(&cbb, 0, sizeof(cbb));
+
+        if (ks->x25519_private == NULL)
+                goto err;
+
+        if (ks->x25519_peer_public == NULL)
+                goto err;
+
+        if (ks->mlkem_shared_secret == NULL) {
+                if (ks->mlkem_private == NULL)
+                        goto err;
+
+                if (ks->mlkem_encap == NULL)
+                        goto err;
+
+                if (!MLKEM_decap(ks->mlkem_private, ks->mlkem_encap,
+                    MLKEM_private_key_ciphertext_length(ks->mlkem_private),
+                    &ks->mlkem_shared_secret, &ks->mlkem_shared_secret_len))
+                        goto err;
+        }
+
+        if (!CBB_init(&cbb,  ks->mlkem_shared_secret_len + X25519_KEY_LENGTH))
+                goto err;
+
+        if (!CBB_add_bytes(&cbb, ks->mlkem_shared_secret,
+            ks->mlkem_shared_secret_len))
+                goto err;
+
+        if (!CBB_add_space(&cbb, &x25519_shared_key, X25519_KEY_LENGTH))
+                goto err;
+
+        if (!X25519(x25519_shared_key, ks->x25519_private,
+            ks->x25519_peer_public))
+                goto err;
+
+        if (!CBB_finish(&cbb, out_shared_key, out_shared_key_len))
+                goto err;
+
+        return 1;
+
+ err:
+        CBB_cleanup(&cbb);
+
+        return 0;
+}
+
 int
 tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
     size_t *shared_key_len)
@@ -468,6 +783,10 @@ tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
                 return tls_key_share_derive_x25519(ks, shared_key,
                     shared_key_len);
 
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_derive_mlkem768x25519(ks, shared_key,
+                    shared_key_len);
+
         return tls_key_share_derive_ecdhe_ecp(ks, shared_key,
             shared_key_len);
 }