From 833a9d5129e350041dfc388235d262a595712ae3 Mon Sep 17 00:00:00 2001
From: Douglas Stebila <dstebila@uwaterloo.ca>
Date: Sun, 16 Feb 2020 14:55:19 -0500
Subject: [PATCH] Fix memory leak in Kyber

---
 crypto_kem/kyber1024-90s/clean/indcpa.c | 2 +-
 crypto_kem/kyber1024/avx2/symmetric.h   | 2 +-
 crypto_kem/kyber1024/clean/indcpa.c     | 2 +-
 crypto_kem/kyber1024/clean/symmetric.h  | 2 +-
 crypto_kem/kyber512-90s/clean/indcpa.c  | 2 +-
 crypto_kem/kyber512/avx2/symmetric.h    | 2 +-
 crypto_kem/kyber512/clean/indcpa.c      | 2 +-
 crypto_kem/kyber512/clean/symmetric.h   | 2 +-
 crypto_kem/kyber768-90s/clean/indcpa.c  | 2 +-
 crypto_kem/kyber768/avx2/indcpa.c       | 2 ++
 crypto_kem/kyber768/avx2/symmetric.h    | 2 +-
 crypto_kem/kyber768/clean/indcpa.c      | 2 +-
 crypto_kem/kyber768/clean/symmetric.h   | 2 +-
 13 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/crypto_kem/kyber1024-90s/clean/indcpa.c b/crypto_kem/kyber1024-90s/clean/indcpa.c
index 3092c6a5..e60c89b2 100644
--- a/crypto_kem/kyber1024-90s/clean/indcpa.c
+++ b/crypto_kem/kyber1024-90s/clean/indcpa.c
@@ -167,9 +167,9 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
                 xof_squeezeblocks(buf, 1, &state);
                 ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, XOF_BLOCKBYTES);
             }
+            xof_ctx_release(&state);
         }
     }
-    xof_ctx_release(&state);
 }
 
 /*************************************************
diff --git a/crypto_kem/kyber1024/avx2/symmetric.h b/crypto_kem/kyber1024/avx2/symmetric.h
index efc88d7c..adba822a 100644
--- a/crypto_kem/kyber1024/avx2/symmetric.h
+++ b/crypto_kem/kyber1024/avx2/symmetric.h
@@ -17,7 +17,7 @@ void PQCLEAN_KYBER1024_AVX2_shake256_prf(uint8_t *output, size_t outlen, const u
 #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
 #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER1024_AVX2_kyber_shake128_absorb(STATE, IN, X, Y)
 #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_ctx_release(STATE)
+#define xof_ctx_release(STATE) shake128_ctx_release(STATE)
 #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER1024_AVX2_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
 #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
 
diff --git a/crypto_kem/kyber1024/clean/indcpa.c b/crypto_kem/kyber1024/clean/indcpa.c
index e8bfa1c0..a66e14d9 100644
--- a/crypto_kem/kyber1024/clean/indcpa.c
+++ b/crypto_kem/kyber1024/clean/indcpa.c
@@ -167,9 +167,9 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
                 xof_squeezeblocks(buf, 1, &state);
                 ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, XOF_BLOCKBYTES);
             }
+            xof_ctx_release(&state);
         }
     }
-    xof_ctx_release(&state);
 }
 
 /*************************************************
diff --git a/crypto_kem/kyber1024/clean/symmetric.h b/crypto_kem/kyber1024/clean/symmetric.h
index ae5c7c99..2320e411 100644
--- a/crypto_kem/kyber1024/clean/symmetric.h
+++ b/crypto_kem/kyber1024/clean/symmetric.h
@@ -18,7 +18,7 @@ void PQCLEAN_KYBER1024_CLEAN_shake256_prf(uint8_t *output, size_t outlen, const
 #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
 #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER1024_CLEAN_kyber_shake128_absorb(STATE, IN, X, Y)
 #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER1024_CLEAN_kyber_shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_ctx_release(STATE)
+#define xof_ctx_release(STATE) shake128_ctx_release(STATE)
 #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER1024_CLEAN_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
 #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
 
diff --git a/crypto_kem/kyber512-90s/clean/indcpa.c b/crypto_kem/kyber512-90s/clean/indcpa.c
index 72cd842b..5f0ec6e0 100644
--- a/crypto_kem/kyber512-90s/clean/indcpa.c
+++ b/crypto_kem/kyber512-90s/clean/indcpa.c
@@ -167,9 +167,9 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
                 xof_squeezeblocks(buf, 1, &state);
                 ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, XOF_BLOCKBYTES);
             }
+            xof_ctx_release(&state);
         }
     }
-    xof_ctx_release(&state);
 }
 
 /*************************************************
diff --git a/crypto_kem/kyber512/avx2/symmetric.h b/crypto_kem/kyber512/avx2/symmetric.h
index d7f636f3..88982be0 100644
--- a/crypto_kem/kyber512/avx2/symmetric.h
+++ b/crypto_kem/kyber512/avx2/symmetric.h
@@ -17,7 +17,7 @@ void PQCLEAN_KYBER512_AVX2_shake256_prf(uint8_t *output, size_t outlen, const ui
 #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
 #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER512_AVX2_kyber_shake128_absorb(STATE, IN, X, Y)
 #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_ctx_release(STATE)
+#define xof_ctx_release(STATE) shake128_ctx_release(STATE)
 #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER512_AVX2_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
 #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
 
diff --git a/crypto_kem/kyber512/clean/indcpa.c b/crypto_kem/kyber512/clean/indcpa.c
index 41db35be..3f734eb5 100644
--- a/crypto_kem/kyber512/clean/indcpa.c
+++ b/crypto_kem/kyber512/clean/indcpa.c
@@ -167,9 +167,9 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
                 xof_squeezeblocks(buf, 1, &state);
                 ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, XOF_BLOCKBYTES);
             }
+            xof_ctx_release(&state);
         }
     }
-    xof_ctx_release(&state);
 }
 
 /*************************************************
diff --git a/crypto_kem/kyber512/clean/symmetric.h b/crypto_kem/kyber512/clean/symmetric.h
index 8b58c0c3..5ef4f0f7 100644
--- a/crypto_kem/kyber512/clean/symmetric.h
+++ b/crypto_kem/kyber512/clean/symmetric.h
@@ -18,7 +18,7 @@ void PQCLEAN_KYBER512_CLEAN_shake256_prf(uint8_t *output, size_t outlen, const u
 #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
 #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER512_CLEAN_kyber_shake128_absorb(STATE, IN, X, Y)
 #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER512_CLEAN_kyber_shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_ctx_release(STATE)
+#define xof_ctx_release(STATE) shake128_ctx_release(STATE)
 #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER512_CLEAN_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
 #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
 
diff --git a/crypto_kem/kyber768-90s/clean/indcpa.c b/crypto_kem/kyber768-90s/clean/indcpa.c
index babde479..438cbc81 100644
--- a/crypto_kem/kyber768-90s/clean/indcpa.c
+++ b/crypto_kem/kyber768-90s/clean/indcpa.c
@@ -167,9 +167,9 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
                 xof_squeezeblocks(buf, 1, &state);
                 ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, XOF_BLOCKBYTES);
             }
+            xof_ctx_release(&state);
         }
     }
-    xof_ctx_release(&state);
 }
 
 /*************************************************
diff --git a/crypto_kem/kyber768/avx2/indcpa.c b/crypto_kem/kyber768/avx2/indcpa.c
index 528f2432..90567655 100644
--- a/crypto_kem/kyber768/avx2/indcpa.c
+++ b/crypto_kem/kyber768/avx2/indcpa.c
@@ -213,6 +213,8 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
         ctr0 += rej_uniform_ref(a[2].vec[2].coeffs + ctr0, KYBER_N - ctr0, buf.x[0], bufbytes);
     }
 
+    xof_ctx_release(&state1x);
+
     PQCLEAN_KYBER768_AVX2_poly_nttunpack(&a[2].vec[2]);
 }
 
diff --git a/crypto_kem/kyber768/avx2/symmetric.h b/crypto_kem/kyber768/avx2/symmetric.h
index 694457e2..eecd78c2 100644
--- a/crypto_kem/kyber768/avx2/symmetric.h
+++ b/crypto_kem/kyber768/avx2/symmetric.h
@@ -17,7 +17,7 @@ void PQCLEAN_KYBER768_AVX2_shake256_prf(uint8_t *output, size_t outlen, const ui
 #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
 #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER768_AVX2_kyber_shake128_absorb(STATE, IN, X, Y)
 #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_ctx_release(STATE)
+#define xof_ctx_release(STATE) shake128_ctx_release(STATE)
 #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER768_AVX2_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
 #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
 
diff --git a/crypto_kem/kyber768/clean/indcpa.c b/crypto_kem/kyber768/clean/indcpa.c
index 776f233b..47f6d808 100644
--- a/crypto_kem/kyber768/clean/indcpa.c
+++ b/crypto_kem/kyber768/clean/indcpa.c
@@ -167,9 +167,9 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
                 xof_squeezeblocks(buf, 1, &state);
                 ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, XOF_BLOCKBYTES);
             }
+            xof_ctx_release(&state);
         }
     }
-    xof_ctx_release(&state);
 }
 
 /*************************************************
diff --git a/crypto_kem/kyber768/clean/symmetric.h b/crypto_kem/kyber768/clean/symmetric.h
index cd688df9..0d4ac2b7 100644
--- a/crypto_kem/kyber768/clean/symmetric.h
+++ b/crypto_kem/kyber768/clean/symmetric.h
@@ -18,7 +18,7 @@ void PQCLEAN_KYBER768_CLEAN_shake256_prf(uint8_t *output, size_t outlen, const u
 #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
 #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER768_CLEAN_kyber_shake128_absorb(STATE, IN, X, Y)
 #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER768_CLEAN_kyber_shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_ctx_release(STATE)
+#define xof_ctx_release(STATE) shake128_ctx_release(STATE)
 #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER768_CLEAN_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
 #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)