mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-16 08:42:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #5579 from SiliconLabs/erase_secret_before_free

Browse Source 
Erase secrets in allocated memory before freeing said memory
This commit is contained in:
Gilles Peskine 2022-03-07 17:04:04 +01:00 committed by GitHub
commit 15364ffb03
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog.d/zeroize_key_buffers_before_free.txt Normal file
View File

@ -0,0 +1,4 @@
Security
* Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
module before freeing them. These buffers contain secret key material, and
could thus potentially leak the key through freed heap.

2
library/psa_crypto_storage.c
View File

@ -349,6 +349,7 @@ psa_status_t psa_save_persistent_key( const psa_core_key_attributes_t *attr,
status = psa_crypto_storage_store( attr->id,
storage_data, storage_data_length );
mbedtls_platform_zeroize( storage_data, storage_data_length );
mbedtls_free( storage_data );
return( status );
@ -394,6 +395,7 @@ psa_status_t psa_load_persistent_key( psa_core_key_attributes_t *attr,
status = PSA_ERROR_STORAGE_FAILURE;
exit:
mbedtls_platform_zeroize( loaded_data, storage_data_length );
mbedtls_free( loaded_data );
return( status );
}