Skip to content

Commit b7684c1

Browse files
FrauschiFrauschi
committed
Zeroize heap buffer after ML-DSA signing
Ensure that the heap buffer used (among others) to store sensitive data during ML-DSA signing is zeroized before freeing the memory. Follow-up for zd21464 Reported by: Abhinav Agarwal (GitHub: @abhinavagarwal07)
1 parent b36a9ca commit b7684c1

1 file changed

Lines changed: 9 additions & 4 deletions

File tree

wolfcrypt/src/dilithium.c

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8157,6 +8157,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key,
81578157
sword32* ct0 = NULL;
81588158
byte priv_rand_seed[DILITHIUM_Y_SEED_SZ];
81598159
byte* h = sig + params->lambda / 4 + params->zEncSz;
8160+
unsigned int allocSz = 0;
81608161
#ifdef WC_MLDSA_FAULT_HARDEN
81618162
sword32* y_check;
81628163
#endif
@@ -8206,8 +8207,6 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key,
82068207
}
82078208
#endif
82088209
if (ret == 0) {
8209-
unsigned int allocSz;
8210-
82118210
/* y-l, w0-k, w1-k, c-1, z-l, ct0-k */
82128211
allocSz = params->s1Sz + params->s2Sz + params->s2Sz +
82138212
DILITHIUM_POLY_SIZE + params->s1Sz + params->s2Sz;
@@ -8415,6 +8414,9 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key,
84158414
}
84168415

84178416
ForceZero(priv_rand_seed, sizeof(priv_rand_seed));
8417+
if (y != NULL) {
8418+
ForceZero(y, allocSz);
8419+
}
84188420
XFREE(y, key->heap, DYNAMIC_TYPE_DILITHIUM);
84198421
return ret;
84208422
#else
@@ -8444,6 +8446,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key,
84448446
byte* blocks = NULL;
84458447
byte priv_rand_seed[DILITHIUM_Y_SEED_SZ];
84468448
byte* h = sig + params->lambda / 4 + params->zEncSz;
8449+
unsigned int allocSz = 0;
84478450
#ifdef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A
84488451
byte maxK = (byte)min(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A,
84498452
params->k);
@@ -8463,8 +8466,6 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key,
84638466

84648467
/* Allocate memory for large intermediates. */
84658468
if (ret == 0) {
8466-
unsigned int allocSz;
8467-
84688469
/* y-l, w0-k, w1-k, blocks, c-1, z-1, A-1 */
84698470
allocSz = params->s1Sz + params->s2Sz + params->s2Sz +
84708471
DILITHIUM_REJ_NTT_POLY_H_SIZE +
@@ -8957,6 +8958,9 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key,
89578958
}
89588959

89598960
ForceZero(priv_rand_seed, sizeof(priv_rand_seed));
8961+
if (y != NULL) {
8962+
ForceZero(y, allocSz);
8963+
}
89608964
XFREE(y, key->heap, DYNAMIC_TYPE_DILITHIUM);
89618965
return ret;
89628966
#endif
@@ -9313,6 +9317,7 @@ static int dilithium_sign_ctx_hash(dilithium_key* key, WC_RNG* rng,
93139317
hash, hashLen, sig, sigLen);
93149318
}
93159319

9320+
ForceZero(seed, sizeof(seed));
93169321
return ret;
93179322
}
93189323

0 commit comments

Comments
 (0)