From 3e819b7d690416cd24d66a7a605e26b3f7b6b77f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 20 Dec 2019 14:09:55 +0100 Subject: [PATCH] psa_key_agreement_ecdh: zeroize output on failure If psa_key_agreement_ecdh fails, there may be output that leaks sensitive information in the output buffer. Zeroize it. If this is due to an underlying failure in the ECDH implementation, it is currently not an issue since both the traditional Mbed TLS/Crypto implementation and Everest only write to the output buffer once every intermediate step has succeeded, but zeroizing is more robust. If this is because the recently added key size check fails, a leak could be a serious issue. --- library/psa_crypto.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 203b6de26..72ecdde21 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5343,6 +5343,8 @@ static psa_status_t psa_key_agreement_ecdh( const uint8_t *peer_key, status = PSA_ERROR_CORRUPTION_DETECTED; exit: + if( status != PSA_SUCCESS ) + mbedtls_platform_zeroize( shared_secret, shared_secret_size ); mbedtls_ecdh_free( &ecdh ); mbedtls_ecp_keypair_free( their_key ); mbedtls_free( their_key );