From 6f8d7f1b8c8beab28aaf6b5d8ebdf0e6dd39331f Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Mon, 13 Dec 2021 12:37:55 +0100
Subject: [PATCH] PKCS#1v1.5 signature: better cleanup of temporary values

Zeroize temporary buffers used to sanity-check the signature.

If there is an error, overwrite the tentative signature in the output
buffer.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 library/rsa.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/library/rsa.c b/library/rsa.c
index c8c23dba8c..47d784c1ba 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -2148,9 +2148,13 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
     memcpy( sig, sig_try, ctx->len );
 
 cleanup:
+    mbedtls_platform_zeroize( sig_try, ctx->len );
+    mbedtls_platform_zeroize( verif, ctx->len );
     mbedtls_free( sig_try );
     mbedtls_free( verif );
 
+    if( ret != 0 )
+        memset( sig, '!', ctx->len );
     return( ret );
 }
 #endif /* MBEDTLS_PKCS1_V15 */