From 4cd79ef66303d6f033307a79d2bbb6fe5a6e555d Mon Sep 17 00:00:00 2001 From: dkostic Date: Thu, 26 Sep 2024 15:34:04 -0700 Subject: [PATCH] ML-KEM FIPS 203 destruction of intermidiate values --- crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.c | 29 ++++++++++++++++++++ crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c | 14 ++++++++++ 2 files changed, 43 insertions(+) diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.c b/crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.c index dcc5412d6c..d83f9d433d 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.c +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.c @@ -190,6 +190,9 @@ void gen_matrix(ml_kem_params *params, polyvec *a, const uint8_t seed[KYBER_SYMB } } } + + // FIPS 203. Section 3.3 Destruction of intermidiate values. + OPENSSL_memset(buf, 0, sizeof(buf)); } /************************************************* @@ -244,6 +247,14 @@ void indcpa_keypair_derand(ml_kem_params *params, pack_sk(params, sk, &skpv); pack_pk(params, pk, &pkpv, publicseed); + + // FIPS 203. Section 3.3 Destruction of intermidiate values. + OPENSSL_memset(buf, 0, sizeof(buf)); + OPENSSL_memset(coins_with_domain_separator, 0, sizeof(coins_with_domain_separator)); + OPENSSL_memset(a, 0, sizeof(a)); + OPENSSL_memset(&e, 0, sizeof(e)); + OPENSSL_memset(&pkpv, 0, sizeof(pkpv)); + OPENSSL_memset(&skpv, 0, sizeof(skpv)); } @@ -303,6 +314,17 @@ void indcpa_enc(ml_kem_params *params, poly_reduce(&v); pack_ciphertext(params, c, &b, &v); + + // FIPS 203. Section 3.3 Destruction of intermidiate values. + OPENSSL_memset(seed, 0, sizeof(seed)); + OPENSSL_memset(&sp, 0, sizeof(sp)); + OPENSSL_memset(&pkpv, 0, sizeof(pkpv)); + OPENSSL_memset(&ep, 0, sizeof(ep)); + OPENSSL_memset(&at, 0, sizeof(at)); + OPENSSL_memset(&b, 0, sizeof(b)); + OPENSSL_memset(&v, 0, sizeof(v)); + OPENSSL_memset(&k, 0, sizeof(k)); + OPENSSL_memset(&epp, 0, sizeof(epp)); } /************************************************* @@ -340,4 +362,11 @@ void indcpa_dec(ml_kem_params *params, poly_reduce(&mp); poly_tomsg(m, &mp); + + + // FIPS 203. Section 3.3 Destruction of intermidiate values. + OPENSSL_memset(&b, 0, sizeof(b)); + OPENSSL_memset(&skpv, 0, sizeof(skpv)); + OPENSSL_memset(&v, 0, sizeof(v)); + OPENSSL_memset(&mp, 0, sizeof(mp)); } diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c b/crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c index 732ee61028..f990f47413 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c @@ -57,6 +57,9 @@ int crypto_kem_keypair(ml_kem_params *params, uint8_t coins[2*KYBER_SYMBYTES]; RAND_bytes(coins, 2*KYBER_SYMBYTES); crypto_kem_keypair_derand(params, pk, sk, coins); + + // FIPS 203. Section 3.3 Destruction of intermidiate values. + OPENSSL_memset(coins, 0, sizeof(coins)); return 0; } @@ -268,6 +271,10 @@ int crypto_kem_enc_derand(ml_kem_params *params, indcpa_enc(params, ct, buf, pk, kr+KYBER_SYMBYTES); memcpy(ss,kr,KYBER_SYMBYTES); + + // FIPS 203. Section 3.3 Destruction of intermidiate values. + OPENSSL_memset(buf, 0, sizeof(buf)); + OPENSSL_memset(kr, 0, sizeof(kr)); return 0; } @@ -298,6 +305,9 @@ int crypto_kem_enc(ml_kem_params *params, uint8_t coins[KYBER_SYMBYTES]; RAND_bytes(coins, KYBER_SYMBYTES); crypto_kem_enc_derand(params, ct, ss, pk, coins); + + // FIPS 203. Section 3.3 Destruction of intermidiate values. + OPENSSL_memset(coins, 0, sizeof(coins)); return 0; } @@ -351,5 +361,9 @@ int crypto_kem_dec(ml_kem_params *params, /* Copy true key to return buffer if fail is false */ cmov(ss,kr,KYBER_SYMBYTES,!fail); + // FIPS 203. Section 3.3 Destruction of intermidiate values. + OPENSSL_memset(buf, 0, sizeof(buf)); + OPENSSL_memset(kr, 0, sizeof(kr)); + OPENSSL_memset(cmp, 0, sizeof(cmp)); return 0; }