ML_DSA: Fix partially uninitialised hint buffer.

The encoded hint data consists of omega + k bytes.
The bytes at the end of omega section of the buffer may be 0,
so the buffer must be cleared initially.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26451)

diff --git a/crypto/ml_dsa/ml_dsa_encoders.c b/crypto/ml_dsa/ml_dsa_encoders.c
index 41383c9739970889829a131f92a0158350a0a201..e669c511a7a678fcef8f0b6a2782bdf1a602bfc0 100644 (file)
--- a/crypto/ml_dsa/ml_dsa_encoders.c
+++ b/crypto/ml_dsa/ml_dsa_encoders.c
@@ -821,6 +821,7 @@ static int hint_bits_encode(const VECTOR *hint, WPACKET *pkt, uint32_t omega)
 
     if (!WPACKET_allocate_bytes(pkt, omega + k, &data))
         return 0;
+    memset(data, 0, omega + k);
 
     for (i = 0; i < k; i++, p++) {
         for (j = 0; j < ML_DSA_NUM_POLY_COEFFICIENTS; j++)