psa_key_agreement_ecdh: zeroize output on failure

If psa_key_agreement_ecdh fails, there may be output that leaks
sensitive information in the output buffer. Zeroize it.

If this is due to an underlying failure in the ECDH implementation, it
is currently not an issue since both the traditional Mbed TLS/Crypto
implementation and Everest only write to the output buffer once every
intermediate step has succeeded, but zeroizing is more robust. If this
is because the recently added key size check fails, a leak could be a
serious issue.
This commit is contained in:
Gilles Peskine 2019-12-20 14:09:55 +01:00
parent 7cfcb3fc03
commit 3e819b7d69

View file

@ -5343,6 +5343,8 @@ static psa_status_t psa_key_agreement_ecdh( const uint8_t *peer_key,
status = PSA_ERROR_CORRUPTION_DETECTED;
exit:
if( status != PSA_SUCCESS )
mbedtls_platform_zeroize( shared_secret, shared_secret_size );
mbedtls_ecdh_free( &ecdh );
mbedtls_ecp_keypair_free( their_key );
mbedtls_free( their_key );