From c75d0ae38e1829368b0482e4f0b4eeba47f9fbf3 Mon Sep 17 00:00:00 2001
From: Alec Bakholdin <alecbakholdin@gmail.com>
Date: Sun, 22 Dec 2024 20:36:59 -0500
Subject: [PATCH] crypto/mlkem: swap order of return values of Encapsulate

Per FIPS 203 (https://csrc.nist.gov/pubs/fips/203/final), the order of return values should be sharedKey, ciphertext. This commit simply swaps those return values and updates any consumers of the Encapsulate() method to respect the new order.

Fixes #70950

Change-Id: I2a0d605e3baf7fe69510d60d3d35bbac18f883c9
Reviewed-on: https://go-review.googlesource.com/c/go/+/638376
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Austin Clements <austin@google.com>
Auto-Submit: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
---
 handshake_server_tls13.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/handshake_server_tls13.go b/handshake_server_tls13.go
index 3552d89..76fff69 100644
--- a/handshake_server_tls13.go
+++ b/handshake_server_tls13.go
@@ -280,7 +280,7 @@ func (hs *serverHandshakeStateTLS13) processClientHello() error {
 			c.sendAlert(alertIllegalParameter)
 			return errors.New("tls: invalid X25519MLKEM768 client key share")
 		}
-		ciphertext, mlkemSharedSecret := k.Encapsulate()
+		mlkemSharedSecret, ciphertext := k.Encapsulate()
 		// draft-kwiatkowski-tls-ecdhe-mlkem-02, Section 3.1.3: "For
 		// X25519MLKEM768, the shared secret is the concatenation of the ML-KEM
 		// shared secret and the X25519 shared secret. The shared secret is 64