Fix SHAKE256 memory leak in Dilithium (#271)

crypto_sign/dilithium2/avx2/sign.c

@@ -201,6 +201,7 @@ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_signature(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     crh(rhoprime, key, SEEDBYTES + CRHBYTES);
 
@@ -350,6 +351,7 @@ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_verify(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     /* Matrix-vector multiplication; compute Az - c2^dt1 */
     PQCLEAN_DILITHIUM2_AVX2_expand_mat(mat, rho);

crypto_sign/dilithium2/clean/sign.c

@@ -192,6 +192,7 @@ int PQCLEAN_DILITHIUM2_CLEAN_crypto_sign_signature(
     shake256_inc_absorb(&state, msg, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     crh(rhoprime, key, SEEDBYTES + CRHBYTES);
 
@@ -341,6 +342,7 @@ int PQCLEAN_DILITHIUM2_CLEAN_crypto_sign_verify(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     /* Matrix-vector multiplication; compute Az - c2^dt1 */
     PQCLEAN_DILITHIUM2_CLEAN_expand_mat(mat, rho);

crypto_sign/dilithium3/avx2/sign.c

@@ -214,6 +214,7 @@ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_signature(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     crh(rhoprime, key, SEEDBYTES + CRHBYTES);
 
@@ -363,6 +364,7 @@ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_verify(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     /* Matrix-vector multiplication; compute Az - c2^dt1 */
     PQCLEAN_DILITHIUM3_AVX2_expand_mat(mat, rho);

crypto_sign/dilithium3/clean/sign.c

@@ -192,6 +192,7 @@ int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_signature(
     shake256_inc_absorb(&state, msg, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     crh(rhoprime, key, SEEDBYTES + CRHBYTES);
 
@@ -341,6 +342,7 @@ int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_verify(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     /* Matrix-vector multiplication; compute Az - c2^dt1 */
     PQCLEAN_DILITHIUM3_CLEAN_expand_mat(mat, rho);

crypto_sign/dilithium4/avx2/sign.c

@@ -230,6 +230,7 @@ int PQCLEAN_DILITHIUM4_AVX2_crypto_sign_signature(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     crh(rhoprime, key, SEEDBYTES + CRHBYTES);
 
@@ -380,6 +381,7 @@ int PQCLEAN_DILITHIUM4_AVX2_crypto_sign_verify(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     /* Matrix-vector multiplication; compute Az - c2^dt1 */
     PQCLEAN_DILITHIUM4_AVX2_expand_mat(mat, rho);

crypto_sign/dilithium4/clean/sign.c

@@ -192,6 +192,7 @@ int PQCLEAN_DILITHIUM4_CLEAN_crypto_sign_signature(
     shake256_inc_absorb(&state, msg, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     crh(rhoprime, key, SEEDBYTES + CRHBYTES);
 
@@ -341,6 +342,7 @@ int PQCLEAN_DILITHIUM4_CLEAN_crypto_sign_verify(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     /* Matrix-vector multiplication; compute Az - c2^dt1 */
     PQCLEAN_DILITHIUM4_CLEAN_expand_mat(mat, rho);