From bbad7871d24e86ea7f2cc132179146c4c3c57b42 Mon Sep 17 00:00:00 2001
From: Thom Wiggers <thomwiggers@users.noreply.github.com>
Date: Sun, 16 Feb 2020 16:18:05 +0100
Subject: [PATCH] Fix SHAKE256 memory leak in Dilithium (#271)

---
 crypto_sign/dilithium2/avx2/sign.c  | 2 ++
 crypto_sign/dilithium2/clean/sign.c | 2 ++
 crypto_sign/dilithium3/avx2/sign.c  | 2 ++
 crypto_sign/dilithium3/clean/sign.c | 2 ++
 crypto_sign/dilithium4/avx2/sign.c  | 2 ++
 crypto_sign/dilithium4/clean/sign.c | 2 ++
 6 files changed, 12 insertions(+)

diff --git a/crypto_sign/dilithium2/avx2/sign.c b/crypto_sign/dilithium2/avx2/sign.c
index 9aa54537..beaca17c 100644
--- a/crypto_sign/dilithium2/avx2/sign.c
+++ b/crypto_sign/dilithium2/avx2/sign.c
@@ -201,6 +201,7 @@ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_signature(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     crh(rhoprime, key, SEEDBYTES + CRHBYTES);
 
@@ -350,6 +351,7 @@ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_verify(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     /* Matrix-vector multiplication; compute Az - c2^dt1 */
     PQCLEAN_DILITHIUM2_AVX2_expand_mat(mat, rho);
diff --git a/crypto_sign/dilithium2/clean/sign.c b/crypto_sign/dilithium2/clean/sign.c
index 3322ecc2..f1557978 100644
--- a/crypto_sign/dilithium2/clean/sign.c
+++ b/crypto_sign/dilithium2/clean/sign.c
@@ -192,6 +192,7 @@ int PQCLEAN_DILITHIUM2_CLEAN_crypto_sign_signature(
     shake256_inc_absorb(&state, msg, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     crh(rhoprime, key, SEEDBYTES + CRHBYTES);
 
@@ -341,6 +342,7 @@ int PQCLEAN_DILITHIUM2_CLEAN_crypto_sign_verify(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     /* Matrix-vector multiplication; compute Az - c2^dt1 */
     PQCLEAN_DILITHIUM2_CLEAN_expand_mat(mat, rho);
diff --git a/crypto_sign/dilithium3/avx2/sign.c b/crypto_sign/dilithium3/avx2/sign.c
index 16f37a10..1084b653 100644
--- a/crypto_sign/dilithium3/avx2/sign.c
+++ b/crypto_sign/dilithium3/avx2/sign.c
@@ -214,6 +214,7 @@ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_signature(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     crh(rhoprime, key, SEEDBYTES + CRHBYTES);
 
@@ -363,6 +364,7 @@ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_verify(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     /* Matrix-vector multiplication; compute Az - c2^dt1 */
     PQCLEAN_DILITHIUM3_AVX2_expand_mat(mat, rho);
diff --git a/crypto_sign/dilithium3/clean/sign.c b/crypto_sign/dilithium3/clean/sign.c
index 10d04623..6a7ceef0 100644
--- a/crypto_sign/dilithium3/clean/sign.c
+++ b/crypto_sign/dilithium3/clean/sign.c
@@ -192,6 +192,7 @@ int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_signature(
     shake256_inc_absorb(&state, msg, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     crh(rhoprime, key, SEEDBYTES + CRHBYTES);
 
@@ -341,6 +342,7 @@ int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_verify(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     /* Matrix-vector multiplication; compute Az - c2^dt1 */
     PQCLEAN_DILITHIUM3_CLEAN_expand_mat(mat, rho);
diff --git a/crypto_sign/dilithium4/avx2/sign.c b/crypto_sign/dilithium4/avx2/sign.c
index fbf07768..b489c463 100644
--- a/crypto_sign/dilithium4/avx2/sign.c
+++ b/crypto_sign/dilithium4/avx2/sign.c
@@ -230,6 +230,7 @@ int PQCLEAN_DILITHIUM4_AVX2_crypto_sign_signature(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     crh(rhoprime, key, SEEDBYTES + CRHBYTES);
 
@@ -380,6 +381,7 @@ int PQCLEAN_DILITHIUM4_AVX2_crypto_sign_verify(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     /* Matrix-vector multiplication; compute Az - c2^dt1 */
     PQCLEAN_DILITHIUM4_AVX2_expand_mat(mat, rho);
diff --git a/crypto_sign/dilithium4/clean/sign.c b/crypto_sign/dilithium4/clean/sign.c
index 10cbcf5b..ab2da1c2 100644
--- a/crypto_sign/dilithium4/clean/sign.c
+++ b/crypto_sign/dilithium4/clean/sign.c
@@ -192,6 +192,7 @@ int PQCLEAN_DILITHIUM4_CLEAN_crypto_sign_signature(
     shake256_inc_absorb(&state, msg, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     crh(rhoprime, key, SEEDBYTES + CRHBYTES);
 
@@ -341,6 +342,7 @@ int PQCLEAN_DILITHIUM4_CLEAN_crypto_sign_verify(
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
+    shake256_inc_ctx_release(&state);
 
     /* Matrix-vector multiplication; compute Az - c2^dt1 */
     PQCLEAN_DILITHIUM4_CLEAN_expand_mat(mat, rho);