Clear unused seed when expanded key is chosen

The transient "seedbuf" value should not persist in keys that that are
loaded from the "expanded" form when "prefer_seed = no".

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Thu Jun 18 08:02:39 2026
(Merged from https://github.com/openssl/openssl/pull/31252)

diff --git a/crypto/ml_kem/ml_kem.c b/crypto/ml_kem/ml_kem.c
index c8e6188f67dfb2a41fa6c8ffdeda46231c24e9fe..2fc0e5a980a98ecac0b464b0d23c904586ac4262 100644 (file)
--- a/crypto/ml_kem/ml_kem.c
+++ b/crypto/ml_kem/ml_kem.c
@@ -1868,6 +1868,9 @@ int ossl_ml_kem_parse_private_key(const uint8_t *in, size_t len,
         || (mdctx = EVP_MD_CTX_new()) == NULL)
         return 0;
 
+    /* Clear any unused seed */
+    ossl_ml_kem_key_reset(key);
+
     if (add_storage(OPENSSL_malloc(vinfo->puballoc),
             OPENSSL_secure_malloc(vinfo->prvalloc), 1, 0, key))
         ret = parse_prvkey(in, mdctx, key);