Skip to content

Conversation

@lealem47
Copy link
Contributor

Description

Fix to adhere to FIPS 203 – Algorithm 18 (Decaps_internal)

Re-encode ek_PKE and compute h' = H(ek_PKE)
Reject the decapsulation key if h' ≠ h.

Testing

CAVP vectors with a private key whose embedded public key does not match the hash stored in the key.

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@lealem47 lealem47 requested a review from SparkiDev November 24, 2025 17:50
@lealem47 lealem47 self-assigned this Nov 24, 2025
@devin-ai-integration
Copy link
Contributor

🛟 Devin Lifeguard found 2 likely issues in this PR

  • check-all-return-codes snippet: Check the signature of MLKEM_HASH_H; if it returns an int error code, store the result (e.g. ret = MLKEM_HASH_H(...); if (ret != 0) return ret;) before proceeding.
  • prefer-constant-time snippet: Confirm whether XMEMCMP executes in constant time; if not, replace it with a constant-time comparison routine (e.g., wc_MemcmpCT) when comparing cryptographic hashes.

@lealem47
please take a look at the above issues which Devin flagged. Devin will not fix these issues automatically.

@lealem47
Copy link
Contributor Author

lealem47 commented Nov 24, 2025

Jenkins retest this please

@lealem47 lealem47 assigned wolfSSL-Bot and SparkiDev and unassigned lealem47 Nov 24, 2025
/* Decode the public key that is after the private key. */
mlkemkey_decode_public(key->pub, key->pubSeed, p, k);
/* Compute the hash of the public key. */
MLKEM_HASH_H(&key->hash, p, pubLen, computedHash);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MLKEM_HASH_H may fail.

}

if (ret == 0) {
byte computedHash[WC_ML_KEM_SYM_SZ];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hash into key->h and compare with the data in the encoded private key.

Don't need computedHash then.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great point, fixed

@SparkiDev SparkiDev assigned lealem47 and unassigned SparkiDev Nov 24, 2025
@lealem47 lealem47 requested a review from SparkiDev November 25, 2025 00:02
@lealem47 lealem47 removed their assignment Nov 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants