psa_export_key: zero out potential garbage in the output buffer

In psa_export_key, ensure that each byte of the output buffer either contains its original value, is zero, or is part of the actual output. Specifically, don't risk having partial output on error, and don't leave extra data at the end of the buffer when exporting an asymmetric key. Test that exporting to a previously zeroed buffer leaves the buffer zeroed outside the actual output if any.
2025-11-04 04:32:24 -05:00 · 2018-06-20 00:11:45 +02:00 · 2018-06-20 00:11:45 +02:00 · e66ca3bbf3
commit e66ca3bbf3
parent 0e2315859f
2 changed files with 29 additions and 0 deletions
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@ -628,17 +628,22 @@ static  psa_status_t psa_internal_export_key( psa_key_slot_t key,
            else
                ret = mbedtls_pk_write_key_der( &pk, data, data_size );
            if( ret < 0 )
+            {
+                memset( data, 0, data_size );
                return( mbedtls_to_psa_error( ret ) );
+            }
            /* The mbedtls_pk_xxx functions write to the end of the buffer.
             * Move the data to the beginning and erase remaining data
             * at the original location. */
            if( 2 * (size_t) ret <= data_size )
            {
                memcpy( data, data + data_size - ret, ret );
+                memset( data + data_size - ret, 0, ret );
            }
            else if( (size_t) ret < data_size )
            {
                memmove( data, data + data_size - ret, ret );
+                memset( data + ret, 0, data_size - ret );
            }
            *data_length = ret;
            return( PSA_SUCCESS );
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@ -7,6 +7,25 @@
 #else
 #define PSA_CRYPTO_TEST_SIZE_T_RANGE( x ) 1
 #endif
+
+/** Test if a buffer is not all-bits zero.
+ *
+ * \param buffer    Pointer to the beginning of the buffer.
+ * \param size      Size of the buffer in bytes.
+ *
+ * \return          0 if the buffer is all-bits-zero.
+ * \return          A nonzero value otherwise.
+ */
+int mem_is_nonzero( void *buffer, size_t size )
+{
+    size_t i;
+    for( i = 0; i < size; i++ )
+    {
+        if( ( (unsigned char *) buffer )[i] != 0 )
+            return( i + 1 );
+    }
+    return( 0 );
+}
 /* END_HEADER */

 /* BEGIN_DEPENDENCIES
@ -106,8 +125,13 @@ void import_export( data_t *data,
                             exported, export_size,
                             &exported_length );
    TEST_ASSERT( status == (psa_status_t) expected_export_status );
+    TEST_ASSERT( ! mem_is_nonzero( exported + exported_length,
+                                   export_size - exported_length ) );
    if( status != PSA_SUCCESS )
+    {
+        TEST_ASSERT( exported_length == 0 );
        goto destroy;
+    }

    if( canonical_input )
    {