From 91f3435fb40cd740d4252ad7a071fff15ea2089a Mon Sep 17 00:00:00 2001
From: Stephan Mueller <smueller@chronox.de>
Date: Thu, 15 Aug 2024 16:56:08 +0200
Subject: [PATCH] Kyber ARMv8: change keygen to be FIPS 203 compliant

Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
 kem/src/armv8/kyber_indcpa_armv8.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/kem/src/armv8/kyber_indcpa_armv8.c b/kem/src/armv8/kyber_indcpa_armv8.c
index e2e3023e..674cde13 100644
--- a/kem/src/armv8/kyber_indcpa_armv8.c
+++ b/kem/src/armv8/kyber_indcpa_armv8.c
@@ -230,11 +230,13 @@ int indcpa_keypair_armv8(uint8_t pk[LC_KYBER_INDCPA_PUBLICKEYBYTES],
 		uint8_t poly_getnoise_eta1_buf[POLY_GETNOISE_ETA1_BUFSIZE];
 		polyvec a[LC_KYBER_K], e, pkpv, skpv;
 	};
+	static const uint8_t kval = LC_KYBER_K;
 	unsigned int i;
 	uint8_t *buf;
 	const uint8_t *publicseed, *noiseseed;
 	uint8_t nonce = 0, nonce2 = LC_KYBER_K;
 	int ret;
+	LC_HASH_CTX_ON_STACK(sha3_512_ctx, lc_sha3_512);
 	LC_DECLARE_MEM(ws, struct workspace, 32);
 
 	buf = ws->buf;
@@ -245,7 +247,12 @@ int indcpa_keypair_armv8(uint8_t pk[LC_KYBER_INDCPA_PUBLICKEYBYTES],
 	poison(noiseseed, LC_KYBER_SYMBYTES);
 
 	CKINT(lc_rng_generate(rng_ctx, NULL, 0, buf, LC_KYBER_SYMBYTES));
-	lc_hash(lc_sha3_512, buf, LC_KYBER_SYMBYTES, buf);
+	lc_hash_init(sha3_512_ctx);
+	lc_hash_update(sha3_512_ctx, buf, LC_KYBER_SYMBYTES);
+	lc_hash_update(sha3_512_ctx, &kval, sizeof(kval));
+	lc_hash_final(sha3_512_ctx, buf);
+	lc_hash_zero(sha3_512_ctx);
+
 	gen_a(ws->a, publicseed);
 
 	for (i = 0; i < LC_KYBER_K; i++) {