mlkem: use timingsafe_memcmp() in decapsulation

Replace memcmp() with timingsafe_memcmp() when comparing the re-encrypted ciphertext. FIPS 203 Section 6.3 defines this comparison result as a secret piece of intermediate data that must not be revealed in any form. ok tb
author: kenjiro <> 2026-03-06 09:22:29 +0000
committer: kenjiro <> 2026-03-06 09:22:29 +0000
commit: e6b7b55ad0eccc084f5757d7c3e4380079fc99b8 (patch)
tree: 05e5460fb6abc0dd5175010436dd906cbe6f6aa2 /src/lib/libcrypto
parent: 3e8e3350f28d719a890f42302d9a6ea79c6ccd11 (diff)
download: openbsd-e6b7b55ad0eccc084f5757d7c3e4380079fc99b8.tar.gz
openbsd-e6b7b55ad0eccc084f5757d7c3e4380079fc99b8.tar.bz2
openbsd-e6b7b55ad0eccc084f5757d7c3e4380079fc99b8.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/libcrypto/mlkem/mlkem_internal.c b/src/lib/libcrypto/mlkem/mlkem_internal.c
index 048b147806..dec841312e 100644
--- a/src/lib/libcrypto/mlkem/mlkem_internal.c
+++ b/src/lib/libcrypto/mlkem/mlkem_internal.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mlkem_internal.c,v 1.6 2026/01/18 08:49:42 tb Exp $ */
+/* $OpenBSD: mlkem_internal.c,v 1.7 2026/03/06 09:22:29 kenjiro Exp $ */
 /*
 * Copyright (c) 2024, Google Inc.
 * Copyright (c) 2024, 2025 Bob Beck <beck@obtuse.com>
@@ -1121,7 +1121,7 @@ mlkem_decap(const MLKEM_private_key *private_key, const uint8_t *ciphertext,
        encrypt_cpa(expected_ciphertext, &priv.pub, decrypted,
            key_and_randomness + 32, private_key->rank);
        kdf(failure_key, priv.fo_failure_secret, ciphertext, ciphertext_len);
-        mask = constant_time_eq_int_8(memcmp(ciphertext, expected_ciphertext,
+        mask = constant_time_eq_int_8(timingsafe_memcmp(ciphertext, expected_ciphertext,
            expected_ciphertext_length), 0);
        for (i = 0; i < MLKEM_SHARED_SECRET_LENGTH; i++) {
                out_shared_secret[i] = constant_time_select_8(mask,
author	kenjiro <>	2026-03-06 09:22:29 +0000
committer	kenjiro <>	2026-03-06 09:22:29 +0000
commit	e6b7b55ad0eccc084f5757d7c3e4380079fc99b8 (patch)
tree	05e5460fb6abc0dd5175010436dd906cbe6f6aa2 /src/lib/libcrypto
parent	3e8e3350f28d719a890f42302d9a6ea79c6ccd11 (diff)
download	openbsd-e6b7b55ad0eccc084f5757d7c3e4380079fc99b8.tar.gz openbsd-e6b7b55ad0eccc084f5757d7c3e4380079fc99b8.tar.bz2 openbsd-e6b7b55ad0eccc084f5757d7c3e4380079fc99b8.zip

diff --git a/src/lib/libcrypto/mlkem/mlkem_internal.c b/src/lib/libcrypto/mlkem/mlkem_internal.c index 048b147806..dec841312e 100644 --- a/src/lib/libcrypto/mlkem/mlkem_internal.c +++ b/src/lib/libcrypto/mlkem/mlkem_internal.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: mlkem_internal.c,v 1.6 2026/01/18 08:49:42 tb Exp $ */	1	/* $OpenBSD: mlkem_internal.c,v 1.7 2026/03/06 09:22:29 kenjiro Exp $ */
2	/*	2	/*
3	* Copyright (c) 2024, Google Inc.	3	* Copyright (c) 2024, Google Inc.
4	* Copyright (c) 2024, 2025 Bob Beck <beck@obtuse.com>	4	* Copyright (c) 2024, 2025 Bob Beck <beck@obtuse.com>
@@ -1121,7 +1121,7 @@ mlkem_decap(const MLKEM_private_key private_key, const uint8_t ciphertext,
1121	encrypt_cpa(expected_ciphertext, &priv.pub, decrypted,	1121	encrypt_cpa(expected_ciphertext, &priv.pub, decrypted,
1122	key_and_randomness + 32, private_key->rank);	1122	key_and_randomness + 32, private_key->rank);
1123	kdf(failure_key, priv.fo_failure_secret, ciphertext, ciphertext_len);	1123	kdf(failure_key, priv.fo_failure_secret, ciphertext, ciphertext_len);
1124	mask = constant_time_eq_int_8(memcmp(ciphertext, expected_ciphertext,	1124	mask = constant_time_eq_int_8(timingsafe_memcmp(ciphertext, expected_ciphertext,
1125	expected_ciphertext_length), 0);	1125	expected_ciphertext_length), 0);
1126	for (i = 0; i < MLKEM_SHARED_SECRET_LENGTH; i++) {	1126	for (i = 0; i < MLKEM_SHARED_SECRET_LENGTH; i++) {
1127	out_shared_secret[i] = constant_time_select_8(mask,	1127	out_shared_secret[i] = constant_time_select_8(mask,