commit 246e51fd0b4b73db848f8e102ff341bce91a04d4
author Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com> Thu Jun 15 22:15:43 2023 +0530
committer Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com> Thu Jun 15 22:15:43 2023 +0530
tree 0b22b8e78f3be116562782116419280051b11e5b
parent d07761c19c8144daa5c976ada427d93980d8ede8

Add cleanup for intermediate buffer

Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>

library/psa_crypto.c

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 41f13cd..258a405 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -5499,25 +5499,25 @@
                                                pbkdf2->password_length,
                                                prf_alg);
     if (status != PSA_SUCCESS) {
-        return status;
+        goto cleanup;
     }
     status = psa_mac_update(&mac_operation, pbkdf2->salt, pbkdf2->salt_length);
     if (status != PSA_SUCCESS) {
-        return status;
+        goto cleanup;
     }
     status = psa_mac_update(&mac_operation, block_counter, sizeof(block_counter));
     if (status != PSA_SUCCESS) {
-        return status;
+        goto cleanup;
     }
     status = psa_mac_sign_finish(&mac_operation, U_i, sizeof(U_i),
                                  &mac_output_length);
     if (status != PSA_SUCCESS) {
-        return status;
+        goto cleanup;
     }
 
     if (mac_output_length != prf_output_length) {
         status = PSA_ERROR_CORRUPTION_DETECTED;
-        return status;
+        goto cleanup;
     }
 
     memcpy(U_accumulator, U_i, prf_output_length);
@@ -5530,12 +5530,16 @@
                                                 U_i, sizeof(U_i),
                                                 &mac_output_length);
         if (status != PSA_SUCCESS) {
-            return status;
+            goto cleanup;
         }
 
         mbedtls_xor(U_accumulator, U_accumulator, U_i, prf_output_length);
     }
-    return PSA_SUCCESS;
+
+cleanup:
+    /* Zeroise buffers to clear sensitive data from memory. */
+    mbedtls_platform_zeroize(U_i, PSA_MAC_MAX_SIZE);
+    return status;
 }
 
 static psa_status_t psa_key_derivation_pbkdf2_read(