TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-03-28 23:21:07 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5601 from SiliconLabs/erase_secret_before_free_backport_2_28

Browse Source 
Backport 2.28: Erase secrets in allocated memory before freeing said memory
This commit is contained in:
Gilles Peskine
2022-03-07 17:04:01 +01:00
committed by GitHub
parent ecd119d241 dd3ab012eb
commit 76d1cb26ef
2 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog.d/zeroize_key_buffers_before_free.txt Normal file
View File

@@ -0,0 +1,4 @@
Security
* Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
module before freeing them. These buffers contain secret key material, and
could thus potentially leak the key through freed heap.

2
library/psa_crypto_storage.c
View File

@@ -347,6 +347,7 @@ psa_status_t psa_save_persistent_key( const psa_core_key_attributes_t *attr,
status = psa_crypto_storage_store( attr->id,
storage_data, storage_data_length );
mbedtls_platform_zeroize( storage_data, storage_data_length );
mbedtls_free( storage_data );
return( status );
@@ -392,6 +393,7 @@ psa_status_t psa_load_persistent_key( psa_core_key_attributes_t *attr,
status = PSA_ERROR_STORAGE_FAILURE;
exit:
mbedtls_platform_zeroize( loaded_data, storage_data_length );
mbedtls_free( loaded_data );
return( status );
}