From: Joachim Vandersmissen <git@jvdsn.com>
Date: Fri, 18 Apr 2025 17:48:24 +0000 (-0500)
Subject: Properly zeroize ML-KEM z and d values
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d44f67aafb26ea3adcd33cd6d34bc17e40466cb;p=thirdparty%2Fopenssl.git

Properly zeroize ML-KEM z and d values

Ensure z and d are actually zeroized by cleansing the full size of s,
rather than just vector_bytes.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27437)
---

diff --git a/crypto/ml_kem/ml_kem.c b/crypto/ml_kem/ml_kem.c
index ec752334358..662e7dd622e 100644
--- a/crypto/ml_kem/ml_kem.c
+++ b/crypto/ml_kem/ml_kem.c
@@ -1550,7 +1550,7 @@ ossl_ml_kem_key_reset(ML_KEM_KEY *key)
      */
     if (ossl_ml_kem_have_prvkey(key))
         OPENSSL_cleanse(key->s,
-                        key->vinfo->vector_bytes + 2 * ML_KEM_RANDOM_BYTES);
+                        key->vinfo->rank * sizeof(scalar) + 2 * ML_KEM_RANDOM_BYTES);
     OPENSSL_free(key->t);
     key->d = key->z = (uint8_t *)(key->s = key->m = key->t = NULL);
 }