commit e66ca3bbf36332bca6a97f6bca2a5883f5f32387
author Gilles Peskine <Gilles.Peskine@arm.com> Wed Jun 20 00:11:45 2018 +0200
committer itayzafrir <itay.zafrir@arm.com> Wed Sep 12 16:22:51 2018 +0300
tree e0a10d4013be607d3383672cb4ac7036c3709f4a
parent 0e2315859fd46cedff76869b0600109d2aee44bb

psa_export_key: zero out potential garbage in the output buffer

In psa_export_key, ensure that each byte of the output buffer either
contains its original value, is zero, or is part of the actual output.
Specifically, don't risk having partial output on error, and don't
leave extra data at the end of the buffer when exporting an asymmetric
key.

Test that exporting to a previously zeroed buffer leaves the buffer
zeroed outside the actual output if any.

library/psa_crypto.c

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index c552b53..8e7aeef 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -628,17 +628,22 @@
             else
                 ret = mbedtls_pk_write_key_der( &pk, data, data_size );
             if( ret < 0 )
+            {
+                memset( data, 0, data_size );
                 return( mbedtls_to_psa_error( ret ) );
+            }
             /* The mbedtls_pk_xxx functions write to the end of the buffer.
              * Move the data to the beginning and erase remaining data
              * at the original location. */
             if( 2 * (size_t) ret <= data_size )
             {
                 memcpy( data, data + data_size - ret, ret );
+                memset( data + data_size - ret, 0, ret );
             }
             else if( (size_t) ret < data_size )
             {
                 memmove( data, data + data_size - ret, ret );
+                memset( data + ret, 0, data_size - ret );
             }
             *data_length = ret;
             return( PSA_SUCCESS );

tests/suites/test_suite_psa_crypto.function

diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index c1d0e14..9586375 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -7,6 +7,25 @@
 #else
 #define PSA_CRYPTO_TEST_SIZE_T_RANGE( x ) 1
 #endif
+
+/** Test if a buffer is not all-bits zero.
+ *
+ * \param buffer    Pointer to the beginning of the buffer.
+ * \param size      Size of the buffer in bytes.
+ *
+ * \return          0 if the buffer is all-bits-zero.
+ * \return          A nonzero value otherwise.
+ */
+int mem_is_nonzero( void *buffer, size_t size )
+{
+    size_t i;
+    for( i = 0; i < size; i++ )
+    {
+        if( ( (unsigned char *) buffer )[i] != 0 )
+            return( i + 1 );
+    }
+    return( 0 );
+}
 /* END_HEADER */
 
 /* BEGIN_DEPENDENCIES
@@ -106,8 +125,13 @@
                              exported, export_size,
                              &exported_length );
     TEST_ASSERT( status == (psa_status_t) expected_export_status );
+    TEST_ASSERT( ! mem_is_nonzero( exported + exported_length,
+                                   export_size - exported_length ) );
     if( status != PSA_SUCCESS )
+    {
+        TEST_ASSERT( exported_length == 0 );
         goto destroy;
+    }
 
     if( canonical_input )
     {