From 73e7f4c0eec1108dd331224b65184bc3b61b10ff Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 5 May 2017 19:24:06 +0200
Subject: [PATCH] RSA: wipe more stack buffers

MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene.
---
 library/rsa.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/library/rsa.c b/library/rsa.c
index 09477cbc4..8d7e9e623 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -492,6 +492,8 @@ static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
 
         dlen -= use_len;
     }
+
+    polarssl_zeroize( mask, sizeof( mask ) );
 }
 #endif /* POLARSSL_PKCS1_V21 */
 
@@ -1011,6 +1013,7 @@ int rsa_rsassa_pss_sign( rsa_context *ctx,
     if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
     {
         md_free( &md_ctx );
+        /* No need to zeroize salt: we didn't use it. */
         return( ret );
     }
 
@@ -1021,6 +1024,7 @@ int rsa_rsassa_pss_sign( rsa_context *ctx,
     md_update( &md_ctx, hash, hashlen );
     md_update( &md_ctx, salt, slen );
     md_finish( &md_ctx, p );
+    polarssl_zeroize( salt, sizeof( salt ) );
 
     // Compensate for boundary condition when applying mask
     //