From fd4d69a72e3e051eee1d3b5a7ecb7f2d806e9683 Mon Sep 17 00:00:00 2001
From: Steven Cooreman <steven.cooreman@silabs.com>
Date: Wed, 5 Aug 2020 15:46:33 +0200
Subject: [PATCH] Simplified key slot deletion

And zeroize key buffer before freeing to avoid keys hanging around on the
heap.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
---
 library/psa_crypto.c | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 12f05d135..43f6205d4 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -1204,24 +1204,15 @@ static psa_status_t psa_remove_key_data_from_memory( psa_key_slot_t *slot )
     }
     else
 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-    if( slot->attr.type == PSA_KEY_TYPE_NONE )
-    {
-        /* No key material to clean. */
-    }
-    else if( key_type_is_raw_bytes( slot->attr.type ) ||
-             PSA_KEY_TYPE_IS_RSA( slot->attr.type ) ||
-             PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
     {
+        /* Data pointer will always be either a valid pointer or NULL in an
+         * initialized slot, so we can just free it. */
+        if( slot->data.key.data != NULL )
+            mbedtls_platform_zeroize( slot->data.key.data, slot->data.key.bytes);
         mbedtls_free( slot->data.key.data );
         slot->data.key.data = NULL;
         slot->data.key.bytes = 0;
     }
-    else
-    {
-        /* Shouldn't happen: the key type is not any type that we
-         * put in. */
-        return( PSA_ERROR_CORRUPTION_DETECTED );
-    }
 
     return( PSA_SUCCESS );
 }