From 7d89d351e603564cea00942b0d817c90407c8811 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 16 Nov 2022 22:54:14 +0100
Subject: [PATCH] Zeroize sensitive data

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 library/bignum_core.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/library/bignum_core.c b/library/bignum_core.c
index 247600c521..71a2fb16a4 100644
--- a/library/bignum_core.c
+++ b/library/bignum_core.c
@@ -624,6 +624,12 @@ static void exp_mod_precompute_window( const mbedtls_mpi_uint *A,
     }
 }
 
+/* Exponentiation: X := A^E mod N.
+ *
+ * As in other bignum functions, assume that AN_limbs and E_limbs are nonzero.
+ *
+ * RR must contain 2^{2*biL} mod N.
+ */
 int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X,
                               const mbedtls_mpi_uint *A,
                               const mbedtls_mpi_uint *N,
@@ -722,6 +728,7 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X,
     const mbedtls_mpi_uint one = 1;
     mbedtls_mpi_core_montmul( X, X, &one, 1, N, AN_limbs, mm, temp );
 
+    mbedtls_platform_zeroize( mempool, total_limbs * sizeof(mbedtls_mpi_uint) );
     mbedtls_free( mempool );
     return( 0 );
 }