Properly zeroize ML-KEM z and d values

Ensure z and d are actually zeroized by cleansing the full size of s,
rather than just vector_bytes.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27437)

(cherry picked from commit 5d44f67aafb26ea3adcd33cd6d34bc17e40466cb)

diff --git a/crypto/ml_kem/ml_kem.c b/crypto/ml_kem/ml_kem.c
index ec7523343584fb763cc7f56cb0377115017fa2c1..662e7dd622e24879f5d71fa2117a272986ed8aea 100644 (file)
--- a/crypto/ml_kem/ml_kem.c
+++ b/crypto/ml_kem/ml_kem.c
@@ -1550,7 +1550,7 @@ ossl_ml_kem_key_reset(ML_KEM_KEY *key)
      */
     if (ossl_ml_kem_have_prvkey(key))
         OPENSSL_cleanse(key->s,
-                        key->vinfo->vector_bytes + 2 * ML_KEM_RANDOM_BYTES);
+                        key->vinfo->rank * sizeof(scalar) + 2 * ML_KEM_RANDOM_BYTES);
     OPENSSL_free(key->t);
     key->d = key->z = (uint8_t *)(key->s = key->m = key->t = NULL);
 }