From: Igor Ustinov <igus68@gmail.com>
Date: Tue, 4 Nov 2025 13:20:47 +0000 (+0100)
Subject: ML_KEM init refactoring, unconditional entropy cleanup
X-Git-Tag: 4.0-PRE-CLANG-FORMAT-WEBKIT~176
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c9248e19dd22e1301d99aeba0082696ccda8da54;p=thirdparty%2Fopenssl.git

ML_KEM init refactoring, unconditional entropy cleanup

Fixes #27746

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29062)
---

diff --git a/providers/implementations/kem/ml_kem_kem.c b/providers/implementations/kem/ml_kem_kem.c
index bb27c962666..13b097823e0 100644
--- a/providers/implementations/kem/ml_kem_kem.c
+++ b/providers/implementations/kem/ml_kem_kem.c
@@ -70,6 +70,10 @@ static int ml_kem_init(void *vctx, int op, void *key,
         return 0;
     ctx->key = key;
     ctx->op = op;
+    if (ctx->entropy != NULL) {
+        OPENSSL_cleanse(ctx->entropy, ML_KEM_RANDOM_BYTES);
+        ctx->entropy = NULL;
+    }
     return ml_kem_set_ctx_params(vctx, params);
 }
 
@@ -105,12 +109,6 @@ static int ml_kem_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     if (ctx == NULL || !ml_kem_set_ctx_params_decoder(params, &p))
         return 0;
 
-    if (ctx->op == EVP_PKEY_OP_DECAPSULATE && ctx->entropy != NULL) {
-        /* Decapsulation is deterministic */
-        OPENSSL_cleanse(ctx->entropy, ML_KEM_RANDOM_BYTES);
-        ctx->entropy = NULL;
-    }
-
     /* Encapsulation ephemeral input key material "ikmE" */
     if (ctx->op == EVP_PKEY_OP_ENCAPSULATE && p.ikme != NULL) {
         size_t len = ML_KEM_RANDOM_BYTES;