ML-KEM: Add check for Pubkey hash mismatch on decoding the dk

lealem47 · lealem47 · commit f5cb791e3975 · 2025-11-24T10:22:40.000-07:00
diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c
@@ -656,6 +656,9 @@ const char* wc_GetErrorString(int error)
     case INTERRUPTED_E:
         return "Process interrupted";
 
+    case MLKEM_PUB_HASH_E:
+        return "ML-KEM priv key's stored hash doesn't match encoded pub key";
+
     case MAX_CODE_E:
     case WC_SPAN1_MIN_CODE_E:
     case MIN_CODE_E:
diff --git a/wolfcrypt/src/wc_mlkem.c b/wolfcrypt/src/wc_mlkem.c
@@ -1681,6 +1681,9 @@ int wc_MlKemKey_DecodePrivateKey(MlKemKey* key, const unsigned char* in,
     }
 
     if (ret == 0) {
+        byte computedHash[WC_ML_KEM_SYM_SZ];
+        XMEMSET(computedHash, 0, WC_ML_KEM_SYM_SZ);
+
         /* Decode private key that is vector of polynomials.
          * Alg 18 Step 1: dk_PKE <- dk[0 : 384k]
          * Alg 15 Step 5: s_hat <- ByteDecode_12(dk_PKE) */
@@ -1689,16 +1692,24 @@ int wc_MlKemKey_DecodePrivateKey(MlKemKey* key, const unsigned char* in,
 
         /* Decode the public key that is after the private key. */
         mlkemkey_decode_public(key->pub, key->pubSeed, p, k);
+        /* Compute the hash of the public key. */
+        MLKEM_HASH_H(&key->hash, p, pubLen, computedHash);
         p += pubLen;
 
         /* Copy the hash of the encoded public key that is after public key. */
         XMEMCPY(key->h, p, sizeof(key->h));
         p += WC_ML_KEM_SYM_SZ;
+
         /* Copy the z (randomizer) that is after hash. */
         XMEMCPY(key->z, p, sizeof(key->z));
 
         /* Set flags */
         key->flags |= MLKEM_FLAG_H_SET | MLKEM_FLAG_BOTH_SET;
+
+        /* Compare computed public key hash with stored hash */
+        if (XMEMCMP(key->h, computedHash, WC_ML_KEM_SYM_SZ) != 0)
+            ret = MLKEM_PUB_HASH_E;
+
     }
 
     return ret;
diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h
@@ -307,9 +307,11 @@ enum wolfCrypt_ErrorCodes {
     WC_ACCEL_INHIBIT_E  = -1002, /* Crypto acceleration is currently inhibited */
     BAD_INDEX_E         = -1003, /* Bad index */
     INTERRUPTED_E       = -1004, /* Process interrupted */
+    MLKEM_PUB_HASH_E    = -1005, /* Encoded public key in decapsulation key does
+                                  * not match stored hash*/
 
-    WC_SPAN2_LAST_E     = -1004, /* Update to indicate last used error code */
-    WC_LAST_E           = -1004, /* the last code used either here or in
+    WC_SPAN2_LAST_E     = -1005, /* Update to indicate last used error code */
+    WC_LAST_E           = -1005, /* the last code used either here or in
                                   * error-ssl.h */
 
     WC_SPAN2_MIN_CODE_E = -1999, /* Last usable code in span 2 */
