Zeroize memory in SHA3 implementation (#2171)

aidenfoxivey · web-flow · commit 50185c6e7203 · 2025-06-20T14:12:12.000-04:00
* Add OQS_MEM_aligned_secure_free convenience fn

Signed-off-by: Aiden Fox Ivey &lt;aiden@aidenfoxivey.com&gt;

* Rewrite SHA3 aligned frees to zeroize

Signed-off-by: Aiden Fox Ivey &lt;aiden@aidenfoxivey.com&gt;

---------

Signed-off-by: Aiden Fox Ivey &lt;aiden@aidenfoxivey.com&gt;
diff --git a/src/common/common.c b/src/common/common.c
@@ -411,6 +411,11 @@ void OQS_MEM_aligned_free(void *ptr) {
 #endif
 }
 
+void OQS_MEM_aligned_secure_free(void *ptr, size_t len) {
+	OQS_MEM_cleanse(ptr, len);
+	OQS_MEM_aligned_free(ptr);
+}
+
 OQS_API void *OQS_MEM_malloc(size_t size) {
 #if defined(OQS_USE_OPENSSL)
 	return OSSL_FUNC(CRYPTO_malloc)(size, OPENSSL_FILE, OPENSSL_LINE);
diff --git a/src/common/common.h b/src/common/common.h
@@ -274,6 +274,11 @@ void *OQS_MEM_aligned_alloc(size_t alignment, size_t size);
  */
 void OQS_MEM_aligned_free(void *ptr);
 
+/**
+ * Free and zeroize memory allocated with OQS_MEM_aligned_alloc.
+ */
+void OQS_MEM_aligned_secure_free(void *ptr, size_t len);
+
 #if defined(__cplusplus)
 } // extern "C"
 #endif
diff --git a/src/common/sha3/xkcp_sha3.c b/src/common/sha3/xkcp_sha3.c
@@ -224,7 +224,7 @@ static void SHA3_sha3_256_inc_finalize(uint8_t *output, OQS_SHA3_sha3_256_inc_ct
 }
 
 static void SHA3_sha3_256_inc_ctx_release(OQS_SHA3_sha3_256_inc_ctx *state) {
-	OQS_MEM_aligned_free(state->ctx);
+	OQS_MEM_aligned_secure_free(state->ctx, KECCAK_CTX_BYTES);
 }
 
 static void SHA3_sha3_256_inc_ctx_clone(OQS_SHA3_sha3_256_inc_ctx *dest, const OQS_SHA3_sha3_256_inc_ctx *src) {
@@ -260,7 +260,7 @@ static void SHA3_sha3_384_inc_finalize(uint8_t *output, OQS_SHA3_sha3_384_inc_ct
 }
 
 static void SHA3_sha3_384_inc_ctx_release(OQS_SHA3_sha3_384_inc_ctx *state) {
-	OQS_MEM_aligned_free(state->ctx);
+	OQS_MEM_aligned_secure_free(state->ctx, KECCAK_CTX_BYTES);
 }
 
 static void SHA3_sha3_384_inc_ctx_clone(OQS_SHA3_sha3_384_inc_ctx *dest, const OQS_SHA3_sha3_384_inc_ctx *src) {
@@ -297,7 +297,7 @@ static void SHA3_sha3_512_inc_finalize(uint8_t *output, OQS_SHA3_sha3_512_inc_ct
 }
 
 static void SHA3_sha3_512_inc_ctx_release(OQS_SHA3_sha3_512_inc_ctx *state) {
-	OQS_MEM_aligned_free(state->ctx);
+	OQS_MEM_aligned_secure_free(state->ctx, KECCAK_CTX_BYTES);
 }
 
 static void SHA3_sha3_512_inc_ctx_clone(OQS_SHA3_sha3_512_inc_ctx *dest, const OQS_SHA3_sha3_512_inc_ctx *src) {
@@ -344,7 +344,7 @@ static void SHA3_shake128_inc_ctx_clone(OQS_SHA3_shake128_inc_ctx *dest, const O
 }
 
 static void SHA3_shake128_inc_ctx_release(OQS_SHA3_shake128_inc_ctx *state) {
-	OQS_MEM_aligned_free(state->ctx);
+	OQS_MEM_aligned_secure_free(state->ctx, KECCAK_CTX_BYTES);
 }
 
 static void SHA3_shake128_inc_ctx_reset(OQS_SHA3_shake128_inc_ctx *state) {
@@ -383,7 +383,7 @@ static void SHA3_shake256_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_s
 }
 
 static void SHA3_shake256_inc_ctx_release(OQS_SHA3_shake256_inc_ctx *state) {
-	OQS_MEM_aligned_free(state->ctx);
+	OQS_MEM_aligned_secure_free(state->ctx, KECCAK_CTX_BYTES);
 }
 
 static void SHA3_shake256_inc_ctx_clone(OQS_SHA3_shake256_inc_ctx *dest, const OQS_SHA3_shake256_inc_ctx *src) {
diff --git a/src/common/sha3/xkcp_sha3x4.c b/src/common/sha3/xkcp_sha3x4.c
@@ -197,7 +197,7 @@ static void SHA3_shake128_x4_inc_ctx_clone(OQS_SHA3_shake128_x4_inc_ctx *dest, c
 }
 
 static void SHA3_shake128_x4_inc_ctx_release(OQS_SHA3_shake128_x4_inc_ctx *state) {
-	OQS_MEM_aligned_free(state->ctx);
+	OQS_MEM_aligned_secure_free(state->ctx, KECCAK_X4_CTX_BYTES);
 }
 
 static void SHA3_shake128_x4_inc_ctx_reset(OQS_SHA3_shake128_x4_inc_ctx *state) {
@@ -240,7 +240,7 @@ static void SHA3_shake256_x4_inc_ctx_clone(OQS_SHA3_shake256_x4_inc_ctx *dest, c
 }
 
 static void SHA3_shake256_x4_inc_ctx_release(OQS_SHA3_shake256_x4_inc_ctx *state) {
-	OQS_MEM_aligned_free(state->ctx);
+	OQS_MEM_aligned_secure_free(state->ctx, KECCAK_X4_CTX_BYTES);
 }
 
 static void SHA3_shake256_x4_inc_ctx_reset(OQS_SHA3_shake256_x4_inc_ctx *state) {

Original file line number	Diff line number	Diff line change
`@@ -224,7 +224,7 @@ static void SHA3_sha3_256_inc_finalize(uint8_t *output, OQS_SHA3_sha3_256_inc_ct`
`224`	`224`	`}`
`225`	`225`
`226`	`226`	`static void SHA3_sha3_256_inc_ctx_release(OQS_SHA3_sha3_256_inc_ctx *state) {`
`227`		`- OQS_MEM_aligned_free(state->ctx);`
	`227`	`+ OQS_MEM_aligned_secure_free(state->ctx, KECCAK_CTX_BYTES);`
`228`	`228`	`}`
`229`	`229`
`230`	`230`	`static void SHA3_sha3_256_inc_ctx_clone(OQS_SHA3_sha3_256_inc_ctx dest, const OQS_SHA3_sha3_256_inc_ctx src) {`
`@@ -260,7 +260,7 @@ static void SHA3_sha3_384_inc_finalize(uint8_t *output, OQS_SHA3_sha3_384_inc_ct`
`260`	`260`	`}`
`261`	`261`
`262`	`262`	`static void SHA3_sha3_384_inc_ctx_release(OQS_SHA3_sha3_384_inc_ctx *state) {`
`263`		`- OQS_MEM_aligned_free(state->ctx);`
	`263`	`+ OQS_MEM_aligned_secure_free(state->ctx, KECCAK_CTX_BYTES);`
`264`	`264`	`}`
`265`	`265`
`266`	`266`	`static void SHA3_sha3_384_inc_ctx_clone(OQS_SHA3_sha3_384_inc_ctx dest, const OQS_SHA3_sha3_384_inc_ctx src) {`
`@@ -297,7 +297,7 @@ static void SHA3_sha3_512_inc_finalize(uint8_t *output, OQS_SHA3_sha3_512_inc_ct`
`297`	`297`	`}`
`298`	`298`
`299`	`299`	`static void SHA3_sha3_512_inc_ctx_release(OQS_SHA3_sha3_512_inc_ctx *state) {`
`300`		`- OQS_MEM_aligned_free(state->ctx);`
	`300`	`+ OQS_MEM_aligned_secure_free(state->ctx, KECCAK_CTX_BYTES);`
`301`	`301`	`}`
`302`	`302`
`303`	`303`	`static void SHA3_sha3_512_inc_ctx_clone(OQS_SHA3_sha3_512_inc_ctx dest, const OQS_SHA3_sha3_512_inc_ctx src) {`
`@@ -344,7 +344,7 @@ static void SHA3_shake128_inc_ctx_clone(OQS_SHA3_shake128_inc_ctx *dest, const O`
`344`	`344`	`}`
`345`	`345`
`346`	`346`	`static void SHA3_shake128_inc_ctx_release(OQS_SHA3_shake128_inc_ctx *state) {`
`347`		`- OQS_MEM_aligned_free(state->ctx);`
	`347`	`+ OQS_MEM_aligned_secure_free(state->ctx, KECCAK_CTX_BYTES);`
`348`	`348`	`}`
`349`	`349`
`350`	`350`	`static void SHA3_shake128_inc_ctx_reset(OQS_SHA3_shake128_inc_ctx *state) {`
`@@ -383,7 +383,7 @@ static void SHA3_shake256_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_s`
`383`	`383`	`}`
`384`	`384`
`385`	`385`	`static void SHA3_shake256_inc_ctx_release(OQS_SHA3_shake256_inc_ctx *state) {`
`386`		`- OQS_MEM_aligned_free(state->ctx);`
	`386`	`+ OQS_MEM_aligned_secure_free(state->ctx, KECCAK_CTX_BYTES);`
`387`	`387`	`}`
`388`	`388`
`389`	`389`	`static void SHA3_shake256_inc_ctx_clone(OQS_SHA3_shake256_inc_ctx dest, const OQS_SHA3_shake256_inc_ctx src) {`
Original file line number	Diff line number	Diff line change
`@@ -197,7 +197,7 @@ static void SHA3_shake128_x4_inc_ctx_clone(OQS_SHA3_shake128_x4_inc_ctx *dest, c`
`197`	`197`	`}`
`198`	`198`
`199`	`199`	`static void SHA3_shake128_x4_inc_ctx_release(OQS_SHA3_shake128_x4_inc_ctx *state) {`
`200`		`- OQS_MEM_aligned_free(state->ctx);`
	`200`	`+ OQS_MEM_aligned_secure_free(state->ctx, KECCAK_X4_CTX_BYTES);`
`201`	`201`	`}`
`202`	`202`
`203`	`203`	`static void SHA3_shake128_x4_inc_ctx_reset(OQS_SHA3_shake128_x4_inc_ctx *state) {`
`@@ -240,7 +240,7 @@ static void SHA3_shake256_x4_inc_ctx_clone(OQS_SHA3_shake256_x4_inc_ctx *dest, c`
`240`	`240`	`}`
`241`	`241`
`242`	`242`	`static void SHA3_shake256_x4_inc_ctx_release(OQS_SHA3_shake256_x4_inc_ctx *state) {`
`243`		`- OQS_MEM_aligned_free(state->ctx);`
	`243`	`+ OQS_MEM_aligned_secure_free(state->ctx, KECCAK_X4_CTX_BYTES);`
`244`	`244`	`}`
`245`	`245`
`246`	`246`	`static void SHA3_shake256_x4_inc_ctx_reset(OQS_SHA3_shake256_x4_inc_ctx *state) {`