psa_key_agreement_ecdh: zeroize output on failure If psa_key_agreement_ecdh fails, there may be output that leaks sensitive information in the output buffer. Zeroize it. If this is due to an underlying failure in the ECDH implementation, it is currently not an issue since both the traditional Mbed TLS/Crypto implementation and Everest only write to the output buffer once every intermediate step has succeeded, but zeroizing is more robust. If this is because the recently added key size check fails, a leak could be a serious issue.

commit: 3e819b7d690416cd24d66a7a605e26b3f7b6b77f [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Fri Dec 20 14:09:55 2019 +0100
committer: Gilles Peskine <Gilles.Peskine@arm.com> Fri Jan 31 10:24:21 2020 +0100
tree: 5784cfef0a5a43256aa3dbfb3e0b13b17f8b471a
parent: 7cfcb3fc03744d9a1b2518ed26a128fa589782d6 [diff] [blame]
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 203b6de..72ecdde 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c

@@ -5343,6 +5343,8 @@
         status = PSA_ERROR_CORRUPTION_DETECTED;
 
 exit:
+    if( status != PSA_SUCCESS )
+        mbedtls_platform_zeroize( shared_secret, shared_secret_size );
     mbedtls_ecdh_free( &ecdh );
     mbedtls_ecp_keypair_free( their_key );
     mbedtls_free( their_key );
commit	3e819b7d690416cd24d66a7a605e26b3f7b6b77f	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Fri Dec 20 14:09:55 2019 +0100
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Fri Jan 31 10:24:21 2020 +0100
tree	5784cfef0a5a43256aa3dbfb3e0b13b17f8b471a
parent	7cfcb3fc03744d9a1b2518ed26a128fa589782d6 [diff] [blame]