From 369ae0afc35079979d32b93ba824898a23e1f733 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Thu, 17 Nov 2022 14:14:31 +0100
Subject: [PATCH] Zeroize pake password buffer before free

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 library/psa_crypto_pake.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c
index b89954830f..ef31af4204 100644
--- a/library/psa_crypto_pake.c
+++ b/library/psa_crypto_pake.c
@@ -288,6 +288,7 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation,
 
     if( operation->password != NULL )
     {
+        mbedtls_platform_zeroize( operation->password, operation->password_len );
         mbedtls_free( operation->password );
         operation->password_len = 0;
     }
@@ -864,6 +865,7 @@ psa_status_t psa_pake_abort(psa_pake_operation_t * operation)
     {
         operation->input_step = PSA_PAKE_STEP_INVALID;
         operation->output_step = PSA_PAKE_STEP_INVALID;
+        mbedtls_platform_zeroize( operation->password, operation->password_len );
         mbedtls_free( operation->password );
         operation->password = NULL;
         operation->password_len = 0;