Commit 5d44f67aaf for openssl.org

commit 5d44f67aafb26ea3adcd33cd6d34bc17e40466cb
Author: Joachim Vandersmissen <git@jvdsn.com>
Date:   Fri Apr 18 12:48:24 2025 -0500

    Properly zeroize ML-KEM z and d values

    Ensure z and d are actually zeroized by cleansing the full size of s,
    rather than just vector_bytes.

    Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/27437)

diff --git a/crypto/ml_kem/ml_kem.c b/crypto/ml_kem/ml_kem.c
index ec75233435..662e7dd622 100644
--- a/crypto/ml_kem/ml_kem.c
+++ b/crypto/ml_kem/ml_kem.c
@@ -1550,7 +1550,7 @@ ossl_ml_kem_key_reset(ML_KEM_KEY *key)
      */
     if (ossl_ml_kem_have_prvkey(key))
         OPENSSL_cleanse(key->s,
-                        key->vinfo->vector_bytes + 2 * ML_KEM_RANDOM_BYTES);
+                        key->vinfo->rank * sizeof(scalar) + 2 * ML_KEM_RANDOM_BYTES);
     OPENSSL_free(key->t);
     key->d = key->z = (uint8_t *)(key->s = key->m = key->t = NULL);
 }