buildroot/package/gnutls/0001-groups-represent-hybrid-groups-with-an-array-of-IDs.patch

From 5ed597eb28c408c5968e6dfb839880ba5fa17ba1 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 6 Dec 2024 09:53:18 +0900
Subject: [PATCH] groups: represent hybrid groups with an array of IDs

Previously, the supported_groups array contained externally defined
elements, which is legitimate in C99 but caused error with Clang:

  groups.c:93:2: error: initializer element is not a compile-time constant
          group_x25519,
          ^~~~~~~~~~~~

This reworks the array definition of indirection through group
IDs (gnutls_group_t, i.e., integer).

This also makes pqc-hybrid-kx test more exhaustive.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
Upstream: https://gitlab.com/gnutls/gnutls/-/commit/9cc9d5556d258d23a399abfe45715773e719d134
Signed-off-by: Brandon Maier <brandon.maier@collins.com>
---
 lib/algorithms.h                |   7 ++
 lib/algorithms/groups.c         | 161 ++++++++++++++++++++------------
 lib/ext/key_share.c             |  81 ++++++++++++----
 lib/ext/supported_groups.c      |  45 +++++----
 lib/gnutls_int.h                |   8 +-
 lib/includes/gnutls/gnutls.h.in |   4 +-
 lib/priority.c                  |  25 ++---
 lib/session.c                   |   6 +-
 tests/pqc-hybrid-kx.sh          | 101 +++++++++++++++++---
 9 files changed, 315 insertions(+), 123 deletions(-)

diff --git a/lib/algorithms.h b/lib/algorithms.h
index 2e1b694c6..c4af571ce 100644
--- a/lib/algorithms.h
+++ b/lib/algorithms.h
@@ -55,6 +55,9 @@
 #define IS_KEM(x) \
 	(((x) == GNUTLS_PK_MLKEM768) || ((x) == GNUTLS_PK_EXP_KYBER768))
 
+
+#define IS_GROUP_HYBRID(group) ((group)->ids[0] != GNUTLS_GROUP_INVALID)
+
 #define SIG_SEM_PRE_TLS12 (1 << 1)
 #define SIG_SEM_TLS13 (1 << 2)
 #define SIG_SEM_DEFAULT (SIG_SEM_PRE_TLS12 | SIG_SEM_TLS13)
@@ -493,6 +496,10 @@ const gnutls_group_entry_st *_gnutls_tls_id_to_group(unsigned num);
 const gnutls_group_entry_st *_gnutls_id_to_group(unsigned id);
 gnutls_group_t _gnutls_group_get_id(const char *name);
 
+int _gnutls_group_expand(
+	const gnutls_group_entry_st *group,
+	const gnutls_group_entry_st *subgroups[MAX_HYBRID_GROUPS + 1]);
+
 gnutls_ecc_curve_t _gnutls_ecc_bits_to_curve(gnutls_pk_algorithm_t pk,
 					     int bits);
 #define MAX_ECC_CURVE_SIZE 66
diff --git a/lib/algorithms/groups.c b/lib/algorithms/groups.c
index 88d0cf630..2fbe7b8ec 100644
--- a/lib/algorithms/groups.c
+++ b/lib/algorithms/groups.c
@@ -30,30 +30,6 @@
 /* Supported ECC curves
  */
 
-#ifdef HAVE_LIBOQS
-static const gnutls_group_entry_st group_mlkem768 = {
-	.name = "MLKEM768",
-	.id = GNUTLS_GROUP_INVALID,
-	.curve = GNUTLS_ECC_CURVE_INVALID,
-	.pk = GNUTLS_PK_MLKEM768,
-};
-
-static const gnutls_group_entry_st group_kyber768 = {
-	.name = "KYBER768",
-	.id = GNUTLS_GROUP_INVALID,
-	.curve = GNUTLS_ECC_CURVE_INVALID,
-	.pk = GNUTLS_PK_EXP_KYBER768,
-};
-#endif
-
-static const gnutls_group_entry_st group_x25519 = {
-	.name = "X25519",
-	.id = GNUTLS_GROUP_X25519,
-	.curve = GNUTLS_ECC_CURVE_X25519,
-	.tls_id = 29,
-	.pk = GNUTLS_PK_ECDH_X25519,
-};
-
 static const gnutls_group_entry_st supported_groups[] = {
 	{
 		.name = "SECP192R1",
@@ -90,7 +66,13 @@ static const gnutls_group_entry_st supported_groups[] = {
 		.tls_id = 25,
 		.pk = GNUTLS_PK_ECDSA,
 	},
-	group_x25519,
+	{
+		.name = "X25519",
+		.id = GNUTLS_GROUP_X25519,
+		.curve = GNUTLS_ECC_CURVE_X25519,
+		.tls_id = 29,
+		.pk = GNUTLS_PK_ECDH_X25519,
+	},
 #ifdef ENABLE_GOST
 	/* draft-smyshlyaev-tls12-gost-suites-06, Section 6 */
 	{
@@ -191,24 +173,33 @@ static const gnutls_group_entry_st supported_groups[] = {
 	  .tls_id = 0x104 },
 #endif
 #ifdef HAVE_LIBOQS
+	{
+		.name = "MLKEM768",
+		.id = GNUTLS_GROUP_EXP_MLKEM768,
+		.pk = GNUTLS_PK_MLKEM768,
+		/* absense of .tls_id means that this group alone cannot be used in TLS */
+	},
+	{
+		.name = "KYBER768",
+		.id = GNUTLS_GROUP_EXP_KYBER768,
+		.pk = GNUTLS_PK_EXP_KYBER768,
+		/* absense of .tls_id means that this group alone cannot be used in TLS */
+	},
 	{ .name = "SECP256R1-MLKEM768",
 	  .id = GNUTLS_GROUP_EXP_SECP256R1_MLKEM768,
-	  .curve = GNUTLS_ECC_CURVE_SECP256R1,
-	  .pk = GNUTLS_PK_ECDSA,
-	  .tls_id = 0x11EB,
-	  .next = &group_mlkem768 },
+	  .ids = { GNUTLS_GROUP_SECP256R1, GNUTLS_GROUP_EXP_MLKEM768,
+		   GNUTLS_GROUP_INVALID },
+	  .tls_id = 0x11EB },
 	{ .name = "X25519-MLKEM768",
 	  .id = GNUTLS_GROUP_EXP_X25519_MLKEM768,
-	  .curve = GNUTLS_ECC_CURVE_INVALID,
-	  .pk = GNUTLS_PK_MLKEM768,
-	  .tls_id = 0x11EC,
-	  .next = &group_x25519 },
+	  .ids = { GNUTLS_GROUP_EXP_MLKEM768, GNUTLS_GROUP_X25519,
+		   GNUTLS_GROUP_INVALID },
+	  .tls_id = 0x11EC },
 	{ .name = "X25519-KYBER768",
 	  .id = GNUTLS_GROUP_EXP_X25519_KYBER768,
-	  .curve = GNUTLS_ECC_CURVE_X25519,
-	  .pk = GNUTLS_PK_ECDH_X25519,
-	  .tls_id = 0x6399,
-	  .next = &group_kyber768 },
+	  .ids = { GNUTLS_GROUP_X25519, GNUTLS_GROUP_EXP_KYBER768,
+		   GNUTLS_GROUP_INVALID },
+	  .tls_id = 0x6399 },
 #endif
 	{ 0, 0, 0 }
 };
@@ -221,14 +212,46 @@ static const gnutls_group_entry_st supported_groups[] = {
 		}                                                  \
 	}
 
+static inline const gnutls_group_entry_st *group_to_entry(gnutls_group_t group)
+{
+	if (group == 0)
+		return NULL;
+
+	GNUTLS_GROUP_LOOP(if (p->id == group) { return p; });
+
+	return NULL;
+}
+
+static inline bool
+group_is_supported_standalone(const gnutls_group_entry_st *group)
+{
+	return group->pk != 0 && _gnutls_pk_exists(group->pk) &&
+	       (group->curve == 0 ||
+		_gnutls_ecc_curve_is_supported(group->curve));
+}
+
+static inline bool group_is_supported(const gnutls_group_entry_st *group)
+{
+	if (!IS_GROUP_HYBRID(group))
+		return group_is_supported_standalone(group);
+
+	for (size_t i = 0;
+	     i < MAX_HYBRID_GROUPS && group->ids[i] != GNUTLS_GROUP_INVALID;
+	     i++) {
+		const gnutls_group_entry_st *p = group_to_entry(group->ids[i]);
+		if (!p || !group_is_supported_standalone(p))
+			return false;
+	}
+
+	return true;
+}
+
 /* Returns the TLS id of the given curve
  */
 const gnutls_group_entry_st *_gnutls_tls_id_to_group(unsigned num)
 {
 	GNUTLS_GROUP_LOOP(
-		if (p->tls_id == num &&
-		    (p->curve == 0 ||
-		     _gnutls_ecc_curve_is_supported(p->curve))) { return p; });
+		if (p->tls_id == num && group_is_supported(p)) { return p; });
 
 	return NULL;
 }
@@ -239,10 +262,7 @@ const gnutls_group_entry_st *_gnutls_id_to_group(unsigned id)
 		return NULL;
 
 	GNUTLS_GROUP_LOOP(
-		if (p->id == id && (p->curve == 0 ||
-				    _gnutls_ecc_curve_is_supported(p->curve))) {
-			return p;
-		});
+		if (p->id == id && group_is_supported(p)) { return p; });
 
 	return NULL;
 }
@@ -261,27 +281,17 @@ const gnutls_group_entry_st *_gnutls_id_to_group(unsigned id)
  **/
 const gnutls_group_t *gnutls_group_list(void)
 {
-	static gnutls_group_t groups[MAX_ALGOS] = { 0 };
+	static gnutls_group_t groups[MAX_ALGOS + 1] = { 0 };
 
 	if (groups[0] == 0) {
-		int i = 0;
+		size_t i = 0;
 
-		const gnutls_group_entry_st *p;
-
-		for (p = supported_groups; p->name != NULL; p++) {
-			const gnutls_group_entry_st *pp;
-
-			for (pp = p; pp != NULL; pp = pp->next) {
-				if ((pp->curve != 0 &&
-				     !_gnutls_ecc_curve_is_supported(
-					     pp->curve)) ||
-				    (pp->pk != 0 && !_gnutls_pk_exists(pp->pk)))
-					break;
-			}
-			if (pp == NULL)
+		for (const gnutls_group_entry_st *p = supported_groups;
+		     p->name != NULL; p++) {
+			if (group_is_supported(p))
 				groups[i++] = p->id;
 		}
-		groups[i++] = 0;
+		groups[i++] = GNUTLS_GROUP_INVALID;
 	}
 
 	return groups;
@@ -344,3 +354,34 @@ const char *gnutls_group_get_name(gnutls_group_t group)
 
 	return NULL;
 }
+
+/* Expand GROUP into hybrid SUBGROUPS if any, otherwise an array
+ * containing the GROUP itself. The result will be written to
+ * SUBGROUPS, which will be NUL-terminated.
+ */
+int _gnutls_group_expand(
+	const gnutls_group_entry_st *group,
+	const gnutls_group_entry_st *subgroups[MAX_HYBRID_GROUPS + 1])
+{
+	size_t pos = 0;
+
+	if (IS_GROUP_HYBRID(group)) {
+		for (size_t i = 0; i < MAX_HYBRID_GROUPS &&
+				   group->ids[i] != GNUTLS_GROUP_INVALID;
+		     i++) {
+			const gnutls_group_entry_st *p =
+				group_to_entry(group->ids[i]);
+			/* This shouldn't happen, as GROUP is assumed
+			 * to be supported before calling this
+			 * function. */
+			if (unlikely(!p))
+				return gnutls_assert_val(
+					GNUTLS_E_INTERNAL_ERROR);
+			subgroups[pos++] = p;
+		}
+	} else {
+		subgroups[pos++] = group;
+	}
+	subgroups[pos] = NULL;
+	return 0;
+}
diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
index 574521157..8fbe2d2bd 100644
--- a/lib/ext/key_share.c
+++ b/lib/ext/key_share.c
@@ -232,6 +232,9 @@ static int client_gen_key_share(gnutls_session_t session,
 				gnutls_buffer_st *extdata)
 {
 	unsigned int length_pos;
+	const gnutls_group_entry_st *groups[MAX_HYBRID_GROUPS + 1] = {
+		NULL,
+	};
 	int ret;
 
 	_gnutls_handshake_log("EXT[%p]: sending key share for %s\n", session,
@@ -247,8 +250,12 @@ static int client_gen_key_share(gnutls_session_t session,
 	if (ret < 0)
 		return gnutls_assert_val(ret);
 
-	for (const gnutls_group_entry_st *p = group; p != NULL; p = p->next) {
-		ret = client_gen_key_share_single(session, p, extdata);
+	ret = _gnutls_group_expand(group, groups);
+	if (ret < 0)
+		return gnutls_assert_val(ret);
+
+	for (size_t i = 0; groups[i]; i++) {
+		ret = client_gen_key_share_single(session, groups[i], extdata);
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 	}
@@ -345,6 +352,9 @@ static int server_gen_key_share(gnutls_session_t session,
 				gnutls_buffer_st *extdata)
 {
 	unsigned int length_pos;
+	const gnutls_group_entry_st *groups[MAX_HYBRID_GROUPS + 1] = {
+		NULL,
+	};
 	int ret;
 
 	_gnutls_handshake_log("EXT[%p]: sending key share for %s\n", session,
@@ -360,8 +370,12 @@ static int server_gen_key_share(gnutls_session_t session,
 	if (ret < 0)
 		return gnutls_assert_val(ret);
 
-	for (const gnutls_group_entry_st *p = group; p != NULL; p = p->next) {
-		ret = server_gen_key_share_single(session, p, extdata);
+	ret = _gnutls_group_expand(group, groups);
+	if (ret < 0)
+		return gnutls_assert_val(ret);
+
+	for (size_t i = 0; groups[i]; i++) {
+		ret = server_gen_key_share_single(session, groups[i], extdata);
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 	}
@@ -594,13 +608,19 @@ static int server_use_key_share(gnutls_session_t session,
 				const uint8_t *data, size_t data_size)
 {
 	gnutls_buffer_st buffer;
+	const gnutls_group_entry_st *groups[MAX_HYBRID_GROUPS + 1] = {
+		NULL,
+	};
+	int ret;
 
 	_gnutls_ro_buffer_init(&buffer, data, data_size);
 
-	for (const gnutls_group_entry_st *p = group; p != NULL; p = p->next) {
-		int ret;
+	ret = _gnutls_group_expand(group, groups);
+	if (ret < 0)
+		return gnutls_assert_val(ret);
 
-		ret = server_use_key_share_single(session, p, &buffer);
+	for (size_t i = 0; groups[i]; i++) {
+		ret = server_use_key_share_single(session, groups[i], &buffer);
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 	}
@@ -775,13 +795,19 @@ static int client_use_key_share(gnutls_session_t session,
 				const uint8_t *data, size_t data_size)
 {
 	gnutls_buffer_st buffer;
+	const gnutls_group_entry_st *groups[MAX_HYBRID_GROUPS + 1] = {
+		NULL,
+	};
+	int ret;
 
 	_gnutls_ro_buffer_init(&buffer, data, data_size);
 
-	for (const gnutls_group_entry_st *p = group; p != NULL; p = p->next) {
-		int ret;
+	ret = _gnutls_group_expand(group, groups);
+	if (ret < 0)
+		return gnutls_assert_val(ret);
 
-		ret = client_use_key_share_single(session, p, &buffer);
+	for (size_t i = 0; groups[i]; i++) {
+		ret = client_use_key_share_single(session, groups[i], &buffer);
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 	}
@@ -958,18 +984,39 @@ static int key_share_recv_params(gnutls_session_t session, const uint8_t *data,
 	return 0;
 }
 
+static inline bool pk_types_overlap_single(const gnutls_group_entry_st *a,
+					   const gnutls_group_entry_st *b)
+{
+	return a->pk == b->pk || (IS_ECDHX(a->pk) && IS_ECDHX(b->pk)) ||
+	       (IS_KEM(a->pk) && IS_KEM(b->pk));
+}
+
 static inline bool pk_types_overlap(const gnutls_group_entry_st *a,
 				    const gnutls_group_entry_st *b)
 {
-	const gnutls_group_entry_st *pa;
+	const gnutls_group_entry_st *sa[MAX_HYBRID_GROUPS + 1] = {
+		NULL,
+	};
+	const gnutls_group_entry_st *sb[MAX_HYBRID_GROUPS + 1] = {
+		NULL,
+	};
+	int ret;
+
+	ret = _gnutls_group_expand(a, sa);
+	if (ret < 0) {
+		gnutls_assert();
+		return false;
+	}
 
-	for (pa = a; pa != NULL; pa = pa->next) {
-		const gnutls_group_entry_st *pb;
+	ret = _gnutls_group_expand(b, sb);
+	if (ret < 0) {
+		gnutls_assert();
+		return false;
+	}
 
-		for (pb = b; pb != NULL; pb = pb->next) {
-			if (pa->pk == pb->pk ||
-			    (IS_ECDHX(pa->pk) && IS_ECDHX(pb->pk)) ||
-			    (IS_KEM(pa->pk) && IS_KEM(pb->pk)))
+	for (size_t i = 0; sa[i]; i++) {
+		for (size_t j = 0; sb[j]; j++) {
+			if (pk_types_overlap_single(sa[i], sb[j]))
 				return true;
 		}
 	}
diff --git a/lib/ext/supported_groups.c b/lib/ext/supported_groups.c
index 254ec4882..4c31d2f8f 100644
--- a/lib/ext/supported_groups.c
+++ b/lib/ext/supported_groups.c
@@ -106,9 +106,9 @@ static int _gnutls_supported_groups_recv_params(gnutls_session_t session,
 	unsigned min_dh;
 	unsigned j;
 	int serv_ec_idx, serv_dh_idx,
-		serv_kem_idx; /* index in server's priority listing */
+		serv_hybrid_idx; /* index in server's priority listing */
 	int cli_ec_pos, cli_dh_pos,
-		cli_kem_pos; /* position in listing sent by client */
+		cli_hybrid_pos; /* position in listing sent by client */
 
 	if (session->security_parameters.entity == GNUTLS_CLIENT) {
 		/* A client shouldn't receive this extension in TLS1.2. It is
@@ -134,8 +134,8 @@ static int _gnutls_supported_groups_recv_params(gnutls_session_t session,
 		/* we figure what is the minimum DH allowed for this session, if any */
 		min_dh = get_min_dh(session);
 
-		serv_ec_idx = serv_dh_idx = serv_kem_idx = -1;
-		cli_ec_pos = cli_dh_pos = cli_kem_pos = -1;
+		serv_ec_idx = serv_dh_idx = serv_hybrid_idx = -1;
+		cli_ec_pos = cli_dh_pos = cli_hybrid_pos = -1;
 
 		/* This extension is being processed prior to a ciphersuite being selected,
 		 * so we cannot rely on ciphersuite information. */
@@ -180,14 +180,15 @@ static int _gnutls_supported_groups_recv_params(gnutls_session_t session,
 								break;
 							serv_ec_idx = j;
 							cli_ec_pos = i;
-						} else if (IS_KEM(group->pk)) {
-							if (serv_kem_idx !=
+						} else if (IS_GROUP_HYBRID(
+								   group)) {
+							if (serv_hybrid_idx !=
 								    -1 &&
 							    (int)j >
-								    serv_kem_idx)
+								    serv_hybrid_idx)
 								break;
-							serv_kem_idx = j;
-							cli_kem_pos = i;
+							serv_hybrid_idx = j;
+							cli_hybrid_pos = i;
 						}
 					} else {
 						if (group->pk == GNUTLS_PK_DH) {
@@ -200,11 +201,13 @@ static int _gnutls_supported_groups_recv_params(gnutls_session_t session,
 								break;
 							cli_ec_pos = i;
 							serv_ec_idx = j;
-						} else if (IS_KEM(group->pk)) {
-							if (cli_kem_pos != -1)
+						} else if (IS_GROUP_HYBRID(
+								   group)) {
+							if (cli_hybrid_pos !=
+							    -1)
 								break;
-							cli_kem_pos = i;
-							serv_kem_idx = j;
+							cli_hybrid_pos = i;
+							serv_hybrid_idx = j;
 						}
 					}
 					break;
@@ -212,7 +215,7 @@ static int _gnutls_supported_groups_recv_params(gnutls_session_t session,
 			}
 		}
 
-		/* serv_{dh,ec,kem}_idx contain the index of the groups we want to use.
+		/* serv_{dh,ec,hybrid}_idx contain the index of the groups we want to use.
 		 */
 		if (serv_dh_idx != -1) {
 			session->internals.cand_dh_group =
@@ -236,18 +239,20 @@ static int _gnutls_supported_groups_recv_params(gnutls_session_t session,
 			}
 		}
 
-		/* KEM can only be used in TLS 1.3, where no separation from
-		 * ECDH and DH, and thus only cand_group is set here.
+		/* PQC hybrid key exchange groups can only be used in
+		 * TLS 1.3, where no distinction between ECDH and DH
+		 * in the group definitions, and thus only cand_group
+		 * is set here.
 		 */
-		if (serv_kem_idx != -1) {
+		if (serv_hybrid_idx != -1) {
 			if (session->internals.cand_group == NULL ||
 			    (session->internals.priorities->server_precedence &&
-			     serv_kem_idx < MIN(serv_ec_idx, serv_dh_idx)) ||
+			     serv_hybrid_idx < MIN(serv_ec_idx, serv_dh_idx)) ||
 			    (!session->internals.priorities->server_precedence &&
-			     cli_kem_pos < MIN(cli_ec_pos, cli_dh_pos))) {
+			     cli_hybrid_pos < MIN(cli_ec_pos, cli_dh_pos))) {
 				session->internals.cand_group =
 					session->internals.priorities->groups
-						.entry[serv_kem_idx];
+						.entry[serv_hybrid_idx];
 			}
 		}
 
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index fb2cacb54..01ef59729 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -756,6 +756,8 @@ typedef struct gnutls_cipher_suite_entry_st {
 	gnutls_mac_algorithm_t prf;
 } gnutls_cipher_suite_entry_st;
 
+#define MAX_HYBRID_GROUPS 2
+
 typedef struct gnutls_group_entry_st {
 	const char *name;
 	gnutls_group_t id;
@@ -765,8 +767,12 @@ typedef struct gnutls_group_entry_st {
 	const unsigned *q_bits;
 	gnutls_ecc_curve_t curve;
 	gnutls_pk_algorithm_t pk;
+	gnutls_group_t ids[MAX_HYBRID_GROUPS + 1]; /* IDs of subgroups
+						    * comprising a
+						    * hybrid group,
+						    * terminated with
+						    * GNUTLS_GROUP_INVALID */
 	unsigned tls_id; /* The RFC4492 namedCurve ID or TLS 1.3 group ID */
-	const struct gnutls_group_entry_st *next;
 } gnutls_group_entry_st;
 
 #define GNUTLS_MAC_FLAG_PREIMAGE_INSECURE \
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 8b3bb5213..1e44fdd91 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1147,8 +1147,10 @@ typedef enum {
 	GNUTLS_GROUP_EXP_X25519_KYBER768 = 512,
 	GNUTLS_GROUP_EXP_SECP256R1_MLKEM768 = 513,
 	GNUTLS_GROUP_EXP_X25519_MLKEM768 = 514,
+	GNUTLS_GROUP_EXP_KYBER768 = 515,
+	GNUTLS_GROUP_EXP_MLKEM768 = 516,
 	GNUTLS_GROUP_EXP_MIN = GNUTLS_GROUP_EXP_X25519_KYBER768,
-	GNUTLS_GROUP_EXP_MAX = GNUTLS_GROUP_EXP_X25519_MLKEM768
+	GNUTLS_GROUP_EXP_MAX = GNUTLS_GROUP_EXP_MLKEM768
 } gnutls_group_t;
 
 /* macros to allow specifying a specific curve in gnutls_privkey_generate()
diff --git a/lib/priority.c b/lib/priority.c
index ac4ff2d8c..479dbccd6 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -2566,7 +2566,7 @@ static void add_dh(gnutls_priority_t priority_cache)
 	}
 }
 
-static void add_kem(gnutls_priority_t priority_cache)
+static void add_hybrid(gnutls_priority_t priority_cache)
 {
 	const gnutls_group_entry_st *ge;
 	unsigned i;
@@ -2579,7 +2579,7 @@ static void add_kem(gnutls_priority_t priority_cache)
 			    sizeof(priority_cache->groups.entry) /
 				    sizeof(priority_cache->groups.entry[0])) {
 			/* do not add groups which do not correspond to enabled ciphersuites */
-			if (!IS_KEM(ge->pk))
+			if (!IS_GROUP_HYBRID(ge))
 				continue;
 			priority_cache->groups
 				.entry[priority_cache->groups.size++] = ge;
@@ -2598,7 +2598,7 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
 	const gnutls_sign_entry_st *se;
 	unsigned have_ec = 0;
 	unsigned have_dh = 0;
-	unsigned have_kem = 0;
+	unsigned have_hybrid = 0;
 	unsigned tls_sig_sem = 0;
 	const version_entry_st *tlsmax = NULL, *vers;
 	const version_entry_st *dtlsmax = NULL;
@@ -2807,9 +2807,9 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
 			priority_cache->cs.entry[priority_cache->cs.size++] =
 				ce;
 
-			if (!have_kem) {
-				have_kem = 1;
-				add_kem(priority_cache);
+			if (!have_hybrid) {
+				have_hybrid = 1;
+				add_hybrid(priority_cache);
 			}
 		}
 	}
@@ -2851,8 +2851,8 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
 		}
 	}
 
-	if (have_tls13 && (!have_ec || !have_dh || !have_kem)) {
-		/* scan groups to determine have_{ec,dh,kem} */
+	if (have_tls13 && (!have_ec || !have_dh || !have_hybrid)) {
+		/* scan groups to determine have_{ec,dh,hybrid} */
 		for (i = 0; i < priority_cache->_supported_ecc.num_priorities;
 		     i++) {
 			const gnutls_group_entry_st *ge;
@@ -2865,12 +2865,13 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
 				} else if (ge->prime && !have_dh) {
 					add_dh(priority_cache);
 					have_dh = 1;
-				} else if (IS_KEM(ge->pk) && !have_kem) {
-					add_kem(priority_cache);
-					have_kem = 1;
+				} else if (IS_GROUP_HYBRID(ge) &&
+					   !have_hybrid) {
+					add_hybrid(priority_cache);
+					have_hybrid = 1;
 				}
 
-				if (have_dh && have_ec && have_kem)
+				if (have_dh && have_ec && have_hybrid)
 					break;
 			}
 		}
diff --git a/lib/session.c b/lib/session.c
index a9049a464..7fcbe4fb4 100644
--- a/lib/session.c
+++ b/lib/session.c
@@ -415,7 +415,11 @@ char *gnutls_session_get_desc(gnutls_session_t session)
 				snprintf(kx_name, sizeof(kx_name), "(PSK)");
 			}
 		} else if (group && sign_str) {
-			if (group->curve)
+			if (IS_GROUP_HYBRID(group))
+				snprintf(kx_name, sizeof(kx_name),
+					 "(HYBRID-%s)-(%s)", group_name,
+					 sign_str);
+			else if (group->curve)
 				snprintf(kx_name, sizeof(kx_name),
 					 "(ECDHE-%s)-(%s)", group_name,
 					 sign_str);
diff --git a/tests/pqc-hybrid-kx.sh b/tests/pqc-hybrid-kx.sh
index da936cf04..4984cd4b4 100644
--- a/tests/pqc-hybrid-kx.sh
+++ b/tests/pqc-hybrid-kx.sh
@@ -33,34 +33,113 @@
 
 . "${srcdir}/scripts/common.sh"
 
+# First check any mismatch in the gnutls-cli --list
 if ! "${CLI}" --list | grep '^Groups: .*GROUP-X25519-KYBER768.*' >/dev/null; then
     if "${CLI}" --list | grep '^Public Key Systems: .*KYBER768.*' >/dev/null; then
-	fail "KYBER768 is in Public Key Systems, while GROUP-X25519-KYBER768 is NOT in Groups"
+	fail '' 'KYBER768 is in Public Key Systems, while GROUP-X25519-KYBER768 is NOT in Groups'
     fi
-    exit 77
 else
     if ! "${CLI}" --list | grep '^Public Key Systems: .*KYBER768.*' >/dev/null; then
-	fail "KYBER768 is NOT in Public Key Systems, while GROUP-X25519-KYBER768 is in Groups"
+	fail '' 'KYBER768 is NOT in Public Key Systems, while GROUP-X25519-KYBER768 is in Groups'
+    fi
+fi
+
+if ! "${CLI}" --list | grep '^Groups: .*GROUP-\(SECP256R1\|X25519\)-MLKEM768.*' >/dev/null; then
+    if "${CLI}" --list | grep '^Public Key Systems: .*ML-KEM-768.*' >/dev/null; then
+	fail '' 'ML-KEM-768 is in Public Key Systems, while GROUP-SECP256R1-MLKEM768 or GROUP-X25519-MLKEM768 is NOT in Groups'
+    fi
+else
+    if ! "${CLI}" --list | grep '^Public Key Systems: .*ML-KEM-768.*' >/dev/null; then
+	fail '' 'ML-KEM-768 is NOT in Public Key Systems, while GROUP-SECP256R1-MLKEM768 or GROUP-X25519-MLKEM768 is in Groups'
     fi
 fi
 
+# If none of those hybrid groups is supported, skip the test
+if ! "${CLI}" --list | grep '^Groups: .*GROUP-\(X25519-KYBER768\|SECP256R1-MLKEM768\|X25519-MLKEM768\).*' >/dev/null; then
+    exit 77
+fi
+
 testdir=`create_testdir pqc-hybrid-kx`
 
 KEY="$srcdir/../doc/credentials/x509/key-ecc.pem"
 CERT="$srcdir/../doc/credentials/x509/cert-ecc.pem"
 CACERT="$srcdir/../doc/credentials/x509/ca.pem"
 
-eval "${GETPORT}"
-launch_server --echo --priority NORMAL:-GROUP-ALL:+GROUP-X25519-KYBER768 --x509keyfile="$KEY" --x509certfile="$CERT"
-PID=$!
-wait_server ${PID}
+# Test all supported hybrid groups
+for group in X25519-KYBER768 SECP256R1-MLKEM768 X25519-MLKEM768; do
+    if ! "${CLI}" --list | grep "^Groups: .*GROUP-$group.*" >/dev/null; then
+	echo "$group is not supported, skipping" >&2
+	continue
+    fi
+
+    eval "${GETPORT}"
+    launch_server --echo --priority "NORMAL:-GROUP-ALL:+GROUP-$group" --x509keyfile="$KEY" --x509certfile="$CERT"
+    PID=$!
+    wait_server ${PID}
+
+    ${VALGRIND} "${CLI}" -p "${PORT}" localhost --priority "NORMAL:-GROUP-ALL:+GROUP-$group" --x509cafile="$CACERT" --logfile="$testdir/cli.log" </dev/null
+    kill ${PID}
+    wait
+
+    grep -- "- Description: (TLS1.3-X.509)-(HYBRID-$group)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)" "$testdir/cli.log" || { echo "unexpected handshake description"; cat "$testdir/cli.log"; exit 1; }
+done
+
+# KEM based groups cannot be used standalone
+for group in KYBER768 MLKEM768; do
+    if ! "${CLI}" --list | grep "^Groups: .*GROUP-$group.*" >/dev/null; then
+	"$group is not supported, skipping"
+	continue
+    fi
+
+    eval "${GETPORT}"
+    launch_server --echo --priority "NORMAL:-GROUP-ALL:+GROUP-$group" --x509keyfile="$KEY" --x509certfile="$CERT"
+    PID=$!
+    wait_server ${PID}
+
+    ${VALGRIND} "${CLI}" -p "${PORT}" localhost --priority "NORMAL:-GROUP-ALL:+GROUP-$group" --x509cafile="$CACERT" --logfile="$testdir/cli.log" </dev/null
+    rc=$?
+    kill ${PID}
+    wait
+
+    if test $rc -eq 0; then
+	fail '' 'Handshake succeeded with a standalone KEM group'
+    fi
+done
+
+# Check if disabling a curve will also disables hybrid groups with it
+cat <<_EOF_ > "$testdir/test.config"
+[overrides]
+
+disabled-curve = x25519
+_EOF_
+
+for group in X25519-KYBER768 SECP256R1-MLKEM768 X25519-MLKEM768; do
+    if ! "${CLI}" --list | grep "^Groups: .*GROUP-$group.*" >/dev/null; then
+	echo "$group is not supported, skipping" >&2
+	continue
+    fi
 
-${VALGRIND} "${CLI}" -p "${PORT}" localhost --priority NORMAL:-GROUP-ALL:+GROUP-X25519-KYBER768 --x509cafile="$CACERT" --logfile="$testdir/cli.log" </dev/null
+    eval "${GETPORT}"
+    GNUTLS_SYSTEM_PRIORITY_FILE="$testdir/test.config" launch_server --echo --priority "NORMAL:-GROUP-ALL:+GROUP-$group" --x509keyfile="$KEY" --x509certfile="$CERT"
+    PID=$!
+    wait_server ${PID}
 
-kill ${PID}
-wait
+    ${VALGRIND} "${CLI}" -p "${PORT}" localhost --priority "NORMAL:-GROUP-ALL:+GROUP-$group" --x509cafile="$CACERT" --logfile="$testdir/cli.log" </dev/null
+    rc=$?
+    kill ${PID}
+    wait
 
-grep -- '- Description: (TLS1.3-X.509)-(ECDHE-X25519-KYBER768)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)' "$testdir/cli.log" || { echo "unexpected handshake description"; exit 1; }
+    case "$group" in
+	X25519*)
+	    if test $rc -eq 0; then
+		fail '' 'Handshake succeeded with a hybrid group with X25519'
+	    fi
+	    ;;
+	*)
+	    grep -- "- Description: (TLS1.3-X.509)-(HYBRID-$group)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)" "$testdir/cli.log" || { echo "unexpected handshake description"; cat "$testdir/cli.log"; exit 1; }
+	    ;;
+    esac
+done
 
 rm -rf "$testdir"
 exit 0
-- 
2.47.1