pk_wrap: destroy key slot on errors with policy or key importing
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 2e22ec9..469dc25 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -591,7 +591,7 @@
// Check if both parts are of the same size
if( len_partial != len_signature )
- return( MBEDTLS_ERR_X509_INVALID_SIGNATURE );
+ return( MBEDTLS_ERR_X509_INVALID_SIGNATURE );
memcpy( sig->p + len_partial, *p, len_partial );
len_signature += len_partial;
@@ -696,15 +696,16 @@
key_len = mbedtls_pk_write_pubkey_der( &key, buf, buf_len );
if( key_len <= 0 )
{
- ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
- goto cleanup;
+ mbedtls_free( signature.p );
+ return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
}
if( mbedtls_psa_get_free_key_slot( &key_slot ) != PSA_SUCCESS )
{
- ret = MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
- goto cleanup;
+ mbedtls_free( signature.p );
+ return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
}
+
psa_key_policy_init( &policy );
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_VERIFY, psa_sig_md );
if( psa_set_key_policy( key_slot, &policy ) != PSA_SUCCESS )
@@ -725,14 +726,13 @@
signature.p, signature.len )
!= PSA_SUCCESS )
{
- psa_destroy_key( key_slot );
ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
goto cleanup;
}
ret = 0;
- psa_destroy_key( key_slot );
cleanup:
+ psa_destroy_key( key_slot );
mbedtls_free( signature.p );
return( ret );
}