eden-emu/mbedtls
20
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #7933 from tom-cosgrove-arm/add-mbedtls_zeroize_and_free

Browse source 
Provide and use internal function mbedtls_zeroize_and_free()
This commit is contained in:
Dave Rodgman 2023-08-03 12:56:21 +00:00 committed by GitHub
commit 1d4d944e19
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
24 changed files with 90 additions and 141 deletions
Download patch file Download diff file Expand all files Collapse all files

29
library/psa_crypto.c
View file

@ -1089,13 +1089,10 @@ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
psa_status_t psa_remove_key_data_from_memory(psa_key_slot_t *slot)
{
/* Data pointer will always be either a valid pointer or NULL in an
* initialized slot, so we can just free it. */
if (slot->key.data != NULL) {
mbedtls_platform_zeroize(slot->key.data, slot->key.bytes);
mbedtls_zeroize_and_free(slot->key.data, slot->key.bytes);
}
mbedtls_free(slot->key.data);
slot->key.data = NULL;
slot->key.bytes = 0;
@ -5164,27 +5161,23 @@ psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation)
/* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */
PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
if (operation->ctx.tls12_prf.secret != NULL) {
mbedtls_platform_zeroize(operation->ctx.tls12_prf.secret,
mbedtls_zeroize_and_free(operation->ctx.tls12_prf.secret,
operation->ctx.tls12_prf.secret_length);
mbedtls_free(operation->ctx.tls12_prf.secret);
}
if (operation->ctx.tls12_prf.seed != NULL) {
mbedtls_platform_zeroize(operation->ctx.tls12_prf.seed,
mbedtls_zeroize_and_free(operation->ctx.tls12_prf.seed,
operation->ctx.tls12_prf.seed_length);
mbedtls_free(operation->ctx.tls12_prf.seed);
}
if (operation->ctx.tls12_prf.label != NULL) {
mbedtls_platform_zeroize(operation->ctx.tls12_prf.label,
mbedtls_zeroize_and_free(operation->ctx.tls12_prf.label,
operation->ctx.tls12_prf.label_length);
mbedtls_free(operation->ctx.tls12_prf.label);
}
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
if (operation->ctx.tls12_prf.other_secret != NULL) {
mbedtls_platform_zeroize(operation->ctx.tls12_prf.other_secret,
mbedtls_zeroize_and_free(operation->ctx.tls12_prf.other_secret,
operation->ctx.tls12_prf.other_secret_length);
mbedtls_free(operation->ctx.tls12_prf.other_secret);
}
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
status = PSA_SUCCESS;
@ -5203,9 +5196,8 @@ psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
if (operation->ctx.pbkdf2.salt != NULL) {
mbedtls_platform_zeroize(operation->ctx.pbkdf2.salt,
mbedtls_zeroize_and_free(operation->ctx.pbkdf2.salt,
operation->ctx.pbkdf2.salt_length);
mbedtls_free(operation->ctx.pbkdf2.salt);
}
status = PSA_SUCCESS;
@ -6568,8 +6560,7 @@ static psa_status_t psa_tls12_prf_psk_to_ms_set_key(
status = psa_tls12_prf_set_key(prf, pms, cur - pms);
mbedtls_platform_zeroize(pms, pms_len);
mbedtls_free(pms);
mbedtls_zeroize_and_free(pms, pms_len);
return status;
}
@ -8010,8 +8001,7 @@ static psa_status_t psa_pake_complete_inputs(
status = psa_driver_wrapper_pake_setup(operation, &inputs);
/* Driver is responsible for creating its own copy of the password. */
mbedtls_platform_zeroize(inputs.password, inputs.password_len);
mbedtls_free(inputs.password);
mbedtls_zeroize_and_free(inputs.password, inputs.password_len);
/* User and peer are translated to role. */
mbedtls_free(inputs.user);
@ -8312,9 +8302,8 @@ psa_status_t psa_pake_abort(
if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
if (operation->data.inputs.password != NULL) {
mbedtls_platform_zeroize(operation->data.inputs.password,
mbedtls_zeroize_and_free(operation->data.inputs.password,
operation->data.inputs.password_len);
mbedtls_free(operation->data.inputs.password);
}
if (operation->data.inputs.user != NULL) {
mbedtls_free(operation->data.inputs.user);