16 files changed, 149 insertions, 74 deletions
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 8334ae6..de9d8d3 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -35,6 +35,13 @@ jobs:
          - os: "ubuntu-24.04" # loong64
            arch: "loong64"
            compiler: "gcc"
+          - os: "ubuntu-24.04-arm"
+            arch: "native"
+            compiler: "gcc"
+          - os: "ubuntu-24.04-arm"
+            arch: "native"
+            compiler: "clang"
    steps:
      - name: "Checkout repository"
        uses: actions/checkout@v4
@@ -47,8 +54,8 @@ jobs:
  # Test ASAN with and without ASM enabled.
  test-asan:
-    name: "ASAN (${{ matrix.asm == 'ON' && 'asm' || 'no-asm' }})"
+    name: "${{ matrix.os }} - ASAN (${{ matrix.asm == 'ON' && 'asm' || 'no-asm' }})"
-    runs-on: "ubuntu-24.04"
+    runs-on: "${{ matrix.os }}"
    if: ${{ github.repository_owner == 'libressl' || github.event_name != 'schedule' }}
    permissions:
      contents: read
@@ -56,6 +63,7 @@ jobs:
      fail-fast: false
      matrix:
        asm: [ON, OFF]
+        os: ["ubuntu-24.04", "ubuntu-24.04-arm"]
    steps:
      - name: "Checkout repository"
        uses: actions/checkout@v4
diff --git a/.gitignore b/.gitignore
index c83a56d..03f44eb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -108,6 +108,7 @@ tests/constraints*
 tests/crypto_test*
 tests/ctlog.conf
 tests/*.crt
+tests/ec_arithmetic*
 tests/ec_point_conversion*
 tests/ecc_cdh*
 tests/evp_pkey_cleanup*
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 3a035bb..17e5a0c 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -378,6 +378,16 @@ if(HAVE_NETINET_IP_H)
        add_definitions(-DHAVE_NETINET_IP_H)
 endif()
+check_include_files(resolv.h HAVE_RESOLV_H)
+if(HAVE_RESOLV_H)
+        add_definitions(-DHAVE_RESOLV_H)
+endif()
+check_include_files(arpa/nameser.h HAVE_ARPA_NAMESER_H)
+if(HAVE_ARPA_NAMESER_H)
+        add_definitions(-DHAVE_ARPA_NAMESER_H)
+endif()
 # This isn't ready for universal binaries yet, since we do conditional
 # compilation based on the architecture, but this makes cross compiling for a
 # single architecture work on macOS at least.
diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt
index 047c228..f67d2bd 100644
--- a/crypto/CMakeLists.txt
+++ b/crypto/CMakeLists.txt
@@ -33,11 +33,21 @@ if(HOST_ASM_ELF_X86_64)
                bn/arch/amd64/bignum_add.S
                bn/arch/amd64/bignum_cmadd.S
                bn/arch/amd64/bignum_cmul.S
+                bn/arch/amd64/bignum_modadd.S
+                bn/arch/amd64/bignum_modsub.S
                bn/arch/amd64/bignum_mul.S
+                bn/arch/amd64/bignum_mul_4_8.S
                bn/arch/amd64/bignum_mul_4_8_alt.S
+                bn/arch/amd64/bignum_mul_6_12.S
+                bn/arch/amd64/bignum_mul_6_12_alt.S
+                bn/arch/amd64/bignum_mul_8_16.S
                bn/arch/amd64/bignum_mul_8_16_alt.S
                bn/arch/amd64/bignum_sqr.S
+                bn/arch/amd64/bignum_sqr_4_8.S
                bn/arch/amd64/bignum_sqr_4_8_alt.S
+                bn/arch/amd64/bignum_sqr_6_12.S
+                bn/arch/amd64/bignum_sqr_6_12_alt.S
+                bn/arch/amd64/bignum_sqr_8_16.S
                bn/arch/amd64/bignum_sqr_8_16_alt.S
                bn/arch/amd64/bignum_sub.S
                bn/arch/amd64/word_clz.S
@@ -71,11 +81,21 @@ if(HOST_ASM_MACOSX_X86_64)
                bn/arch/amd64/bignum_add.S
                bn/arch/amd64/bignum_cmadd.S
                bn/arch/amd64/bignum_cmul.S
+                bn/arch/amd64/bignum_modadd.S
+                bn/arch/amd64/bignum_modsub.S
                bn/arch/amd64/bignum_mul.S
+                bn/arch/amd64/bignum_mul_4_8.S
                bn/arch/amd64/bignum_mul_4_8_alt.S
+                bn/arch/amd64/bignum_mul_6_12.S
+                bn/arch/amd64/bignum_mul_6_12_alt.S
+                bn/arch/amd64/bignum_mul_8_16.S
                bn/arch/amd64/bignum_mul_8_16_alt.S
                bn/arch/amd64/bignum_sqr.S
+                bn/arch/amd64/bignum_sqr_4_8.S
                bn/arch/amd64/bignum_sqr_4_8_alt.S
+                bn/arch/amd64/bignum_sqr_6_12.S
+                bn/arch/amd64/bignum_sqr_6_12_alt.S
+                bn/arch/amd64/bignum_sqr_8_16.S
                bn/arch/amd64/bignum_sqr_8_16_alt.S
                bn/arch/amd64/bignum_sub.S
                bn/arch/amd64/word_clz.S
@@ -416,8 +436,10 @@ set(
        lhash/lhash.c
        md4/md4.c
        md5/md5.c
-        mlkem/mlkem768.c
+        mlkem/mlkem.c
        mlkem/mlkem1024.c
+        mlkem/mlkem768.c
+        mlkem/mlkem_key.c
        modes/cbc128.c
        modes/ccm128.c
        modes/cfb128.c
diff --git a/crypto/Makefile.am b/crypto/Makefile.am
index ad241ab..610341a 100644
--- a/crypto/Makefile.am
+++ b/crypto/Makefile.am
@@ -738,9 +738,10 @@ libcrypto_la_SOURCES += md4/md4.c
 libcrypto_la_SOURCES += md5/md5.c
 # mlkem
-libcrypto_la_SOURCES += mlkem/mlkem768.c
+libcrypto_la_SOURCES += mlkem/mlkem.c
 libcrypto_la_SOURCES += mlkem/mlkem1024.c
-noinst_HEADERS += mlkem/mlkem.h
+libcrypto_la_SOURCES += mlkem/mlkem768.c
+libcrypto_la_SOURCES += mlkem/mlkem_key.c
 noinst_HEADERS += mlkem/mlkem_internal.h
 # modes
diff --git a/crypto/Makefile.am.elf-x86_64 b/crypto/Makefile.am.elf-x86_64
index ad49787..df67ad2 100644
--- a/crypto/Makefile.am.elf-x86_64
+++ b/crypto/Makefile.am.elf-x86_64
@@ -10,11 +10,21 @@ ASM_X86_64_ELF += rc4/rc4-elf-x86_64.S
 ASM_X86_64_ELF += bn/arch/amd64/bignum_add.S
 ASM_X86_64_ELF += bn/arch/amd64/bignum_cmadd.S
 ASM_X86_64_ELF += bn/arch/amd64/bignum_cmul.S
+ASM_X86_64_ELF += bn/arch/amd64/bignum_modadd.S
+ASM_X86_64_ELF += bn/arch/amd64/bignum_modsub.S
 ASM_X86_64_ELF += bn/arch/amd64/bignum_mul.S
+ASM_X86_64_ELF += bn/arch/amd64/bignum_mul_4_8.S
 ASM_X86_64_ELF += bn/arch/amd64/bignum_mul_4_8_alt.S
+ASM_X86_64_ELF += bn/arch/amd64/bignum_mul_6_12.S
+ASM_X86_64_ELF += bn/arch/amd64/bignum_mul_6_12_alt.S
+ASM_X86_64_ELF += bn/arch/amd64/bignum_mul_8_16.S
 ASM_X86_64_ELF += bn/arch/amd64/bignum_mul_8_16_alt.S
 ASM_X86_64_ELF += bn/arch/amd64/bignum_sqr.S
+ASM_X86_64_ELF += bn/arch/amd64/bignum_sqr_4_8.S
 ASM_X86_64_ELF += bn/arch/amd64/bignum_sqr_4_8_alt.S
+ASM_X86_64_ELF += bn/arch/amd64/bignum_sqr_6_12.S
+ASM_X86_64_ELF += bn/arch/amd64/bignum_sqr_6_12_alt.S
+ASM_X86_64_ELF += bn/arch/amd64/bignum_sqr_8_16.S
 ASM_X86_64_ELF += bn/arch/amd64/bignum_sqr_8_16_alt.S
 ASM_X86_64_ELF += bn/arch/amd64/bignum_sub.S
 ASM_X86_64_ELF += bn/arch/amd64/word_clz.S
diff --git a/crypto/Makefile.am.macosx-x86_64 b/crypto/Makefile.am.macosx-x86_64
index bbccfd6..23e27e6 100644
--- a/crypto/Makefile.am.macosx-x86_64
+++ b/crypto/Makefile.am.macosx-x86_64
@@ -10,11 +10,21 @@ ASM_X86_64_MACOSX += rc4/rc4-macosx-x86_64.S
 ASM_X86_64_MACOSX += bn/arch/amd64/bignum_add.S
 ASM_X86_64_MACOSX += bn/arch/amd64/bignum_cmadd.S
 ASM_X86_64_MACOSX += bn/arch/amd64/bignum_cmul.S
+ASM_X86_64_MACOSX += bn/arch/amd64/bignum_modadd.S
+ASM_X86_64_MACOSX += bn/arch/amd64/bignum_modsub.S
 ASM_X86_64_MACOSX += bn/arch/amd64/bignum_mul.S
+ASM_X86_64_MACOSX += bn/arch/amd64/bignum_mul_4_8.S
 ASM_X86_64_MACOSX += bn/arch/amd64/bignum_mul_4_8_alt.S
+ASM_X86_64_MACOSX += bn/arch/amd64/bignum_mul_6_12.S
+ASM_X86_64_MACOSX += bn/arch/amd64/bignum_mul_6_12_alt.S
+ASM_X86_64_MACOSX += bn/arch/amd64/bignum_mul_8_16.S
 ASM_X86_64_MACOSX += bn/arch/amd64/bignum_mul_8_16_alt.S
 ASM_X86_64_MACOSX += bn/arch/amd64/bignum_sqr.S
+ASM_X86_64_MACOSX += bn/arch/amd64/bignum_sqr_4_8.S
 ASM_X86_64_MACOSX += bn/arch/amd64/bignum_sqr_4_8_alt.S
+ASM_X86_64_MACOSX += bn/arch/amd64/bignum_sqr_6_12.S
+ASM_X86_64_MACOSX += bn/arch/amd64/bignum_sqr_6_12_alt.S
+ASM_X86_64_MACOSX += bn/arch/amd64/bignum_sqr_8_16.S
 ASM_X86_64_MACOSX += bn/arch/amd64/bignum_sqr_8_16_alt.S
 ASM_X86_64_MACOSX += bn/arch/amd64/bignum_sub.S
 ASM_X86_64_MACOSX += bn/arch/amd64/word_clz.S
diff --git a/include/arch/loongarch64/opensslconf.h b/include/arch/loongarch64/opensslconf.h
index 868066c..c31bcc0 100644
--- a/include/arch/loongarch64/opensslconf.h
+++ b/include/arch/loongarch64/opensslconf.h
@@ -11,13 +11,3 @@
 #define OPENSSL_LINE __LINE__
 #endif
 #endif
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#define RC4_CHUNK unsigned long
-#endif
-#endif
diff --git a/include/arch/mips/opensslconf.h b/include/arch/mips/opensslconf.h
index dcbe113..c31bcc0 100644
--- a/include/arch/mips/opensslconf.h
+++ b/include/arch/mips/opensslconf.h
@@ -11,13 +11,3 @@
 #define OPENSSL_LINE __LINE__
 #endif
 #endif
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#undef RC4_CHUNK
-#endif
-#endif
diff --git a/patches/crypto_namespace.h.patch b/patches/crypto_namespace.h.patch
deleted file mode 100644
index 400030f..0000000
--- a/patches/crypto_namespace.h.patch
+++ /dev/null
@@ -1,22 +0,0 @@
--- crypto/hidden/crypto_namespace.h.orig       Fri Aug  2 23:52:55 2024
-+++ crypto/hidden/crypto_namespace.h    Fri Aug  2 23:53:17 2024
-@@ -24,6 +24,12 @@
-  * external calls use the latter name.
-  */
- 
-+#ifdef _MSC_VER
-+# define LCRYPTO_UNUSED(x)
-+# define LCRYPTO_USED(x)
-+# define LCRYPTO_ALIAS1(pre, x)
-+# define LCRYPTO_ALIAS(x)
-+#else
- #ifdef LIBRESSL_NAMESPACE
- #ifdef LIBRESSL_CRYPTO_NAMESPACE
- #  define LCRYPTO_UNUSED(x)    __attribute__((deprecated))             \
-@@ -47,5 +53,6 @@
- # define LCRYPTO_ALIAS1(pre,x)
- # define LCRYPTO_ALIAS(x)      asm("")
- #endif
-+#endif /* _MSC_VER */
- 
- #endif /* _LIBCRYPTO_CRYPTO_NAMESPACE_H_ */
diff --git a/patches/mlkem_internal.h.patch b/patches/mlkem_internal.h.patch
new file mode 100644
index 0000000..b7cbdcf
--- /dev/null
+++ b/patches/mlkem_internal.h.patch
@@ -0,0 +1,11 @@
+--- crypto/mlkem/mlkem_internal.h.orig  Sun Aug 17 13:20:18 2025
+++ crypto/mlkem/mlkem_internal.h       Sun Aug 17 13:20:37 2025
+@@ -19,7 +19,7 @@
+ #define OPENSSL_HEADER_CRYPTO_MLKEM_INTERNAL_H
+ 
+ #include "bytestring.h"
+-#include "mlkem.h"
+#include <openssl/mlkem.h>
+ 
+ #if defined(__cplusplus)
+ extern "C" {
diff --git a/patches/ssl_namespace.h.patch b/patches/ssl_namespace.h.patch
deleted file mode 100644
index eb9c7a2..0000000
--- a/patches/ssl_namespace.h.patch
+++ /dev/null
@@ -1,21 +0,0 @@
--- ssl/hidden/ssl_namespace.h.orig     Fri Aug  2 23:52:55 2024
-+++ ssl/hidden/ssl_namespace.h  Fri Aug  2 23:53:17 2024
-@@ -23,6 +23,11 @@
-  * and we alias that to the normal name.
-  */
- 
-+#ifdef _MSC_VER
-+#define LSSL_UNUSED(x)
-+#define LSSL_USED(x)
-+#define LSSL_ALIAS(x)
-+#else
- #ifdef LIBRESSL_NAMESPACE
- #define LSSL_UNUSED(x)         typeof(x) x __attribute__((deprecated))
- #define LSSL_USED(x)           __attribute__((visibility("hidden")))   \
-@@ -37,5 +42,6 @@
- #define LSSL_USED(x)
- #define LSSL_ALIAS(x)          asm("")
- #endif
-+#endif /* _MSC_VER */
- 
- #endif /* _LIBSSL_SSL_NAMESPACE_H_ */
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index c497b77..55529cd 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -563,14 +563,16 @@ if(NOT WIN32)
 endif()
 # mlkem_tests
-add_executable(mlkem_tests mlkem_tests.c mlkem_tests_util.c parse_test_file.c)
+add_executable(mlkem_tests mlkem_tests.c parse_test_file.c)
 target_link_libraries(mlkem_tests ${OPENSSL_TEST_LIBS})
 prepare_emscripten_test_target(mlkem_tests)
-if(NOT WIN32)
+if(NOT MSVC)
        add_test(NAME mlkem_tests COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/mlkem_tests.sh)
        set_tests_properties(mlkem_tests PROPERTIES ENVIRONMENT "srcdir=${TEST_SOURCE_DIR}")
+else()
+        add_test(NAME mlkem_tests COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/mlkem_tests.bat $<TARGET_FILE:mlkem_tests>)
 endif()
-# XXX - add tests for Windows
+set_tests_properties(mlkem_tests PROPERTIES ENVIRONMENT "srcdir=${TEST_SOURCE_DIR}")
 # mlkem_iteration_tests
 add_executable(mlkem_iteration_tests mlkem_iteration_tests.c mlkem_tests_util.c)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 914b1e5..066e020 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -577,8 +577,8 @@ noinst_HEADERS += parse_test_file.h
 # mlkem_tests
 TESTS += mlkem_tests.sh
 check_PROGRAMS += mlkem_tests
-mlkem_tests_SOURCES = mlkem_tests.c mlkem_tests_util.c parse_test_file.c
+mlkem_tests_SOURCES = mlkem_tests.c parse_test_file.c
-EXTRA_DIST += mlkem_tests.sh
+EXTRA_DIST += mlkem_tests.sh mlkem_tests.bat
 EXTRA_DIST += mlkem768_decap_tests.txt
 EXTRA_DIST += mlkem768_encap_tests.txt
 EXTRA_DIST += mlkem768_keygen_tests.txt
diff --git a/tests/mlkem_tests.bat b/tests/mlkem_tests.bat
new file mode 100644
index 0000000..618c9e0
--- /dev/null
+++ b/tests/mlkem_tests.bat
@@ -0,0 +1,63 @@
+@echo off
+setlocal enabledelayedexpansion
+:: Copyright (c) 2025 Theo Beuhler
+::
+:: Permission to use, copy, modify, and distribute this software for any
+:: purpose with or without fee is hereby granted, provided that the above
+:: copyright notice and this permission notice appear in all copies.
+::
+:: THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+:: WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+:: MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+:: ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+:: WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+:: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+:: OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+set mlkem_tests_bin=%1
+set mlkem_tests_bin=%mlkem_tests_bin:/=\%
+if not exist %mlkem_tests_bin% exit /b 1
+%mlkem_tests_bin% mlkem768_decap_tests          %srcdir%\mlkem768_decap_tests.txt
+if !errorlevel! neq 0 (
+        exit /b 1
+)
+%mlkem_tests_bin% mlkem768_encap_tests          %srcdir%\mlkem768_encap_tests.txt
+if !errorlevel! neq 0 (
+        exit /b 1
+)
+%mlkem_tests_bin% mlkem768_keygen_tests         %srcdir%\mlkem768_keygen_tests.txt
+if !errorlevel! neq 0 (
+        exit /b 1
+)
+%mlkem_tests_bin% mlkem768_nist_decap_tests     %srcdir%\mlkem768_nist_decap_tests.txt
+if !errorlevel! neq 0 (
+        exit /b 1
+)
+%mlkem_tests_bin% mlkem768_nist_keygen_tests    %srcdir%\mlkem768_nist_keygen_tests.txt
+if !errorlevel! neq 0 (
+        exit /b 1
+)
+%mlkem_tests_bin% mlkem1024_decap_tests         %srcdir%\mlkem1024_decap_tests.txt
+if !errorlevel! neq 0 (
+        exit /b 1
+)
+%mlkem_tests_bin% mlkem1024_encap_tests         %srcdir%\mlkem1024_encap_tests.txt
+if !errorlevel! neq 0 (
+        exit /b 1
+)
+%mlkem_tests_bin% mlkem1024_keygen_tests        %srcdir%\mlkem1024_keygen_tests.txt
+if !errorlevel! neq 0 (
+        exit /b 1
+)
+%mlkem_tests_bin% mlkem1024_nist_decap_tests    %srcdir%\mlkem1024_nist_decap_tests.txt
+if !errorlevel! neq 0 (
+        exit /b 1
+)
+%mlkem_tests_bin% mlkem1024_nist_keygen_tests   %srcdir%\mlkem1024_nist_keygen_tests.txt
+if !errorlevel! neq 0 (
+        exit /b 1
+)
+endlocal
diff --git a/update.sh b/update.sh
index e8b0566..761953a 100755
--- a/update.sh
+++ b/update.sh
@@ -142,7 +142,7 @@ copy_hdrs $libcrypto_src "stack/stack.h lhash/lhash.h stack/safestack.h
        ossl_typ.h err/err.h crypto.h comp/comp.h x509/x509.h buffer/buffer.h
        objects/objects.h asn1/asn1.h asn1/posix_time.h bn/bn.h ec/ec.h ecdsa/ecdsa.h
        ecdh/ecdh.h rsa/rsa.h sha/sha.h x509/x509_vfy.h pkcs7/pkcs7.h pem/pem.h
-        hkdf/hkdf.h hmac/hmac.h rand/rand.h md5/md5.h
+        hkdf/hkdf.h hmac/hmac.h rand/rand.h md5/md5.h mlkem/mlkem.h
        x509/x509v3.h conf/conf.h ocsp/ocsp.h
        aes/aes.h modes/modes.h asn1/asn1t.h bf/blowfish.h
        bio/bio.h cast/cast.h cmac/cmac.h cms/cms.h des/des.h dh/dh.h