Backport 1.3:Set PEM buffer to zero before freeing it

Set PEM buffer to zero before freeing it, to avoid private keys being leaked to memory after releasing it.
2025-11-04 16:04:57 +00:00 · 2017-09-05 15:34:35 +03:00 · 2017-09-05 15:34:35 +03:00 · 27ce0b5ff1
parent a75a459143
commit 27ce0b5ff1
2 changed files with 8 additions and 0 deletions
--- a/6
+++ b/6
@ -1,5 +1,11 @@
 mbed TLS ChangeLog (Sorted per branch, date)

+= mbed TLS x.x.x branch released xxxx-xx-xx
+
+Security
+   * Set PEM buffer to zero before freeing it, to avoid decoded private keys
+     being leaked to memory after release.
+
 = mbed TLS 1.3.21 branch released 2017-08-10

 Security
--- a/library/pem.c
+++ b/library/pem.c
@ -389,6 +389,8 @@ int pem_read_buffer( pem_context *ctx, const char *header, const char *footer,

 void pem_free( pem_context *ctx )
 {
+    if ( ctx->buf != NULL )
+        polarssl_zeroize( ctx->buf, ctx->buflen );
    polarssl_free( ctx->buf );
    polarssl_free( ctx->info );