From e847afd9ef820060210a8c20c7f35afade483433 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 6 Mar 2025 12:41:39 +0100 Subject: [PATCH 1/3] Zeroize temporary heap buffers used in PSA operations Signed-off-by: Gilles Peskine --- ChangeLog.d/psa-zeroize.txt | 2 ++ library/psa_crypto.c | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) create mode 100644 ChangeLog.d/psa-zeroize.txt diff --git a/ChangeLog.d/psa-zeroize.txt b/ChangeLog.d/psa-zeroize.txt new file mode 100644 index 0000000000..e597302dc6 --- /dev/null +++ b/ChangeLog.d/psa-zeroize.txt @@ -0,0 +1,2 @@ +Security + * Zeroize temporary heap buffers used in PSA operations. diff --git a/library/psa_crypto.c b/library/psa_crypto.c index b576f95789..54e497e5d2 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -9300,7 +9300,7 @@ psa_status_t psa_crypto_local_input_alloc(const uint8_t *input, size_t input_len return PSA_SUCCESS; error: - mbedtls_free(local_input->buffer); + mbedtls_zeroize_and_free(local_input->buffer, local_input->length); local_input->buffer = NULL; local_input->length = 0; return status; @@ -9308,7 +9308,7 @@ error: void psa_crypto_local_input_free(psa_crypto_local_input_t *local_input) { - mbedtls_free(local_input->buffer); + mbedtls_zeroize_and_free(local_input->buffer, local_input->length); local_input->buffer = NULL; local_input->length = 0; } @@ -9352,7 +9352,7 @@ psa_status_t psa_crypto_local_output_free(psa_crypto_local_output_t *local_outpu return status; } - mbedtls_free(local_output->buffer); + mbedtls_zeroize_and_free(local_output->buffer, local_output->length); local_output->buffer = NULL; local_output->length = 0; From 184cac1eb68a728848c96d36f1fda29f26c7aa1a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 6 Mar 2025 12:42:30 +0100 Subject: [PATCH 2/3] Zeroize temporary heap buffers used when deriving an ECC key Signed-off-by: Gilles Peskine --- ChangeLog.d/psa-zeroize.txt | 2 ++ library/psa_crypto.c | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/psa-zeroize.txt b/ChangeLog.d/psa-zeroize.txt index e597302dc6..6bdaa00729 100644 --- a/ChangeLog.d/psa-zeroize.txt +++ b/ChangeLog.d/psa-zeroize.txt @@ -1,2 +1,4 @@ Security + * Zeroize a temporary heap buffer used in psa_key_derivation_output_key() + when deriving an ECC key pair. * Zeroize temporary heap buffers used in PSA operations. diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 54e497e5d2..d959587c83 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -6389,7 +6389,7 @@ cleanup: status = mbedtls_to_psa_error(ret); } if (status != PSA_SUCCESS) { - mbedtls_free(*data); + mbedtls_zeroize_and_free(*data, m_bytes); *data = NULL; } mbedtls_mpi_free(&k); @@ -6564,7 +6564,7 @@ static psa_status_t psa_generate_derived_key_internal( } exit: - mbedtls_free(data); + mbedtls_zeroize_and_free(data, bytes); return status; } From ce726b23fa70816f77832cdc1883b3796efe0687 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 6 Mar 2025 19:27:50 +0100 Subject: [PATCH 3/3] Fix uninitialized variable The of m_bytes value isn't actually used when it's uninitialized, because *data is null, but that's very fragile. Signed-off-by: Gilles Peskine --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index d959587c83..4ccb75be61 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -6316,7 +6316,7 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; size_t m; - size_t m_bytes; + size_t m_bytes = 0; mbedtls_mpi_init(&k); mbedtls_mpi_init(&diff_N_2);