psa_key_agreement_ecdh: zeroize output on failure

gilles-peskine-arm · gilles-peskine-arm · commit 79ab5ce27eed · 2020-01-30T18:25:51.000+01:00
If psa_key_agreement_ecdh fails, there may be output that leaks
sensitive information in the output buffer. Zeroize it.

If this is due to an underlying failure in the ECDH implementation, it
is currently not an issue since both the traditional Mbed TLS/Crypto
implementation and Everest only write to the output buffer once every
intermediate step has succeeded, but zeroizing is more robust. If this
is because the recently added key size check fails, a leak could be a
serious issue.
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
@@ -5297,6 +5297,8 @@ static psa_status_t psa_key_agreement_ecdh( const uint8_t *peer_key,
         status = PSA_ERROR_CORRUPTION_DETECTED;
 
 exit:
+    if( status != PSA_SUCCESS )
+        mbedtls_platform_zeroize( shared_secret, shared_secret_size );
     mbedtls_ecdh_free( &ecdh );
     mbedtls_ecp_keypair_free( their_key );
     mbedtls_free( their_key );
