Merge pull request #9470 from lealem47/MLKEM_PUB_HASH_E

ML-KEM: Add check for Pubkey hash mismatch on decoding the dk

wolfcrypt/src/error.c

@@ -656,6 +656,9 @@ const char* wc_GetErrorString(int error)
     case INTERRUPTED_E:
         return "Process interrupted";
 
+    case MLKEM_PUB_HASH_E:
+        return "ML-KEM priv key's stored hash doesn't match encoded pub key";
+
     case MAX_CODE_E:
     case WC_SPAN1_MIN_CODE_E:
     case MIN_CODE_E:

wolfcrypt/src/wc_mlkem.c

@@ -1689,7 +1689,15 @@ int wc_MlKemKey_DecodePrivateKey(MlKemKey* key, const unsigned char* in,
 
         /* Decode the public key that is after the private key. */
         mlkemkey_decode_public(key->pub, key->pubSeed, p, k);
+        /* Compute the hash of the public key. */
+        ret = MLKEM_HASH_H(&key->hash, p, pubLen, key->h);
         p += pubLen;
+    }
+
+    if (ret == 0) {
+        /* Compare computed public key hash with stored hash */
+        if (XMEMCMP(key->h, p, WC_ML_KEM_SYM_SZ) != 0)
+            ret = MLKEM_PUB_HASH_E;
 
         /* Copy the hash of the encoded public key that is after public key. */
         XMEMCPY(key->h, p, sizeof(key->h));

wolfssl/wolfcrypt/error-crypt.h

@@ -307,9 +307,11 @@ enum wolfCrypt_ErrorCodes {
     WC_ACCEL_INHIBIT_E  = -1002, /* Crypto acceleration is currently inhibited */
     BAD_INDEX_E         = -1003, /* Bad index */
     INTERRUPTED_E       = -1004, /* Process interrupted */
+    MLKEM_PUB_HASH_E    = -1005, /* Encoded public key in decapsulation key does
+                                  * not match stored hash*/
 
-    WC_SPAN2_LAST_E     = -1004, /* Update to indicate last used error code */
-    WC_LAST_E           = -1004, /* the last code used either here or in
+    WC_SPAN2_LAST_E     = -1005, /* Update to indicate last used error code */
+    WC_LAST_E           = -1005, /* the last code used either here or in
                                   * error-ssl.h */
 
     WC_SPAN2_MIN_CODE_E = -1999, /* Last usable code in span 2 */