add PQ key integrity tests

Author: JeremiahM37

tests/api/test_mlkem.c

@@ -4018,3 +4018,63 @@ int test_wc_mlkem_decap_fo_reject(void)
     return EXPECT_RESULT();
 } /* END test_wc_mlkem_decap_fo_reject */
 
+/*
+ * Exercise the public-key-hash integrity check in wc_MlKemKey_DecodePrivateKey.
+ * Encode a valid private key, flip a byte inside the embedded H(pk) field,
+ * then re-decode and assert MLKEM_PUB_HASH_E is returned.
+ *
+ * Private key layout per FIPS 203: dk_PKE || ek || H(ek) || z
+ * The 32-byte hash H(ek) sits at offset (privLen - 2 * WC_ML_KEM_SYM_SZ).
+ */
+int test_wc_mlkem_decode_privkey_bad_pubhash(void)
+{
+    EXPECT_DECLS;
+#if defined(WOLFSSL_HAVE_MLKEM) && defined(WOLFSSL_WC_MLKEM) && \
+    !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_MLKEM_NO_MAKE_KEY)
+    MlKemKey* key = NULL;
+    WC_RNG rng;
+    byte   priv[WC_ML_KEM_MAX_PRIVATE_KEY_SIZE];
+    word32 privLen = 0;
+#ifndef WOLFSSL_NO_ML_KEM_768
+    const int mlkemType = WC_ML_KEM_768;
+#elif !defined(WOLFSSL_NO_ML_KEM_512)
+    const int mlkemType = WC_ML_KEM_512;
+#else
+    const int mlkemType = WC_ML_KEM_1024;
+#endif
+
+    XMEMSET(&rng, 0, sizeof(rng));
+    XMEMSET(priv, 0, sizeof(priv));
+
+    key = (MlKemKey*)XMALLOC(sizeof(*key), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    ExpectNotNull(key);
+    ExpectIntEQ(wc_InitRng(&rng), 0);
+
+    ExpectIntEQ(wc_MlKemKey_Init(key, mlkemType, NULL, INVALID_DEVID), 0);
+    ExpectIntEQ(wc_MlKemKey_MakeKey(key, &rng), 0);
+    ExpectIntEQ(wc_MlKemKey_PrivateKeySize(key, &privLen), 0);
+    ExpectTrue(privLen > (word32)(2 * WC_ML_KEM_SYM_SZ));
+    ExpectIntEQ(wc_MlKemKey_EncodePrivateKey(key, priv, privLen), 0);
+
+    /* Baseline: untampered blob decodes cleanly. */
+    wc_MlKemKey_Free(key);
+    ExpectIntEQ(wc_MlKemKey_Init(key, mlkemType, NULL, INVALID_DEVID), 0);
+    ExpectIntEQ(wc_MlKemKey_DecodePrivateKey(key, priv, privLen), 0);
+    wc_MlKemKey_Free(key);
+
+    /* Flip one byte inside H(ek) - the 32 bytes preceding z. */
+    if (privLen > (word32)(2 * WC_ML_KEM_SYM_SZ)) {
+        priv[privLen - 2 * WC_ML_KEM_SYM_SZ] ^= 0x01;
+    }
+
+    ExpectIntEQ(wc_MlKemKey_Init(key, mlkemType, NULL, INVALID_DEVID), 0);
+    ExpectIntEQ(wc_MlKemKey_DecodePrivateKey(key, priv, privLen),
+        WC_NO_ERR_TRACE(MLKEM_PUB_HASH_E));
+    wc_MlKemKey_Free(key);
+
+    DoExpectIntEQ(wc_FreeRng(&rng), 0);
+    XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+    return EXPECT_RESULT();
+} /* END test_wc_mlkem_decode_privkey_bad_pubhash */
+

tests/api/test_mlkem.h

@@ -29,12 +29,14 @@ int test_wc_mlkem_encapsulate_kats(void);
 int test_wc_mlkem_decapsulate_kats(void);
 int test_wc_mlkem_decapsulate_pubonly_fails(void);
 int test_wc_mlkem_decap_fo_reject(void);
+int test_wc_mlkem_decode_privkey_bad_pubhash(void);
 
 #define TEST_MLKEM_DECLS                                                \
     TEST_DECL_GROUP("mlkem", test_wc_mlkem_make_key_kats),              \
     TEST_DECL_GROUP("mlkem", test_wc_mlkem_encapsulate_kats),           \
     TEST_DECL_GROUP("mlkem", test_wc_mlkem_decapsulate_kats),           \
     TEST_DECL_GROUP("mlkem", test_wc_mlkem_decapsulate_pubonly_fails),  \
-    TEST_DECL_GROUP("mlkem", test_wc_mlkem_decap_fo_reject)
+    TEST_DECL_GROUP("mlkem", test_wc_mlkem_decap_fo_reject),            \
+    TEST_DECL_GROUP("mlkem", test_wc_mlkem_decode_privkey_bad_pubhash)
 
 #endif /* WOLFCRYPT_TEST_MLKEM_H */

tests/api/test_slhdsa.c

@@ -1164,6 +1164,12 @@ int test_wc_slhdsa_check_key(void)
     ExpectIntEQ(wc_SlhDsaKey_ImportPublic(&key, pubKey, pubKeyLen), 0);
     ExpectIntEQ(wc_SlhDsaKey_ImportPrivate(&key, privKey, privKeyLen), 0);
     ExpectIntEQ(wc_SlhDsaKey_CheckKey(&key), 0);
+
+    /* Tamper the private seed. The re-derived root will not match the
+     * stored pk_root, so CheckKey must return WC_KEY_MISMATCH_E. */
+    key.sk[0] ^= 0x01;
+    ExpectIntEQ(wc_SlhDsaKey_CheckKey(&key),
+        WC_NO_ERR_TRACE(WC_KEY_MISMATCH_E));
     wc_SlhDsaKey_Free(&key);
 
     wc_FreeRng(&rng);