From 5d44f67aafb26ea3adcd33cd6d34bc17e40466cb Mon Sep 17 00:00:00 2001
From: Joachim Vandersmissen <git@jvdsn.com>
Date: Fri, 18 Apr 2025 12:48:24 -0500
Subject: [PATCH] Properly zeroize ML-KEM z and d values

Ensure z and d are actually zeroized by cleansing the full size of s,
rather than just vector_bytes.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27437)
---
 crypto/ml_kem/ml_kem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/ml_kem/ml_kem.c b/crypto/ml_kem/ml_kem.c
index ec752334358..662e7dd622e 100644
--- a/crypto/ml_kem/ml_kem.c
+++ b/crypto/ml_kem/ml_kem.c
@@ -1550,7 +1550,7 @@ ossl_ml_kem_key_reset(ML_KEM_KEY *key)
      */
     if (ossl_ml_kem_have_prvkey(key))
         OPENSSL_cleanse(key->s,
-                        key->vinfo->vector_bytes + 2 * ML_KEM_RANDOM_BYTES);
+                        key->vinfo->rank * sizeof(scalar) + 2 * ML_KEM_RANDOM_BYTES);
     OPENSSL_free(key->t);
     key->d = key->z = (uint8_t *)(key->s = key->m = key->t = NULL);
 }
-- 
2.47.2