Skip to content

fix: zeroize stack buffer containing private key in deterministic ECDSA#798

Open
ChakshuGupta13 wants to merge 1 commit into
Mbed-TLS:developmentfrom
ChakshuGupta13:fix/ecdsa-zeroize-stack-key
Open

fix: zeroize stack buffer containing private key in deterministic ECDSA#798
ChakshuGupta13 wants to merge 1 commit into
Mbed-TLS:developmentfrom
ChakshuGupta13:fix/ecdsa-zeroize-stack-key

Conversation

@ChakshuGupta13
Copy link
Copy Markdown

@ChakshuGupta13 ChakshuGupta13 commented May 31, 2026

Summary

In mbedtls_ecdsa_sign_det_restartable(), the local stack buffer data[2 * MBEDTLS_ECP_MAX_BYTES] holds the raw ECDSA private key d (written via mbedtls_mpi_write_binary()) for HMAC-DRBG seeding per RFC 6979. After use, the buffer is not cleared in the cleanup path, leaving up to 66 bytes of key material on the stack until overwritten by subsequent calls.

Fix

Add mbedtls_platform_zeroize(data, sizeof(data)) to the cleanup path, before mbedtls_hmac_drbg_free().

Rationale

This brings ecdsa.c to parity with peer modules:

  • hmac_drbg.c: zeroes K[], seed[], buf[] at cleanup (5 call sites)
  • rsa.c: zeroes buf[], mask[], lhash[] at cleanup (4 call sites)
  • ecdsa.c: currently has zero uses of mbedtls_platform_zeroize in the entire file

Scope

Defense-in-depth hardening. The threat model (SECURITY.md) excludes direct local memory access, so this is not classified as a vulnerability fix — it is a missing cleanup consistent with existing project conventions.

Checklist

  • Signed-off-by matching author email
  • ChangeLog entry in ChangeLog.d/zeroize-ecdsa-stack.txt
  • Based on development branch
  • Tests: no functional behavior change; existing test suites cover ECDSA signing correctness

@ChakshuGupta13
fix: zeroize stack buffer containing private key in deterministic ECDSA
b640251 
In mbedtls_ecdsa_sign_det_restartable(), the local buffer data[]
holds the raw private key d (via mbedtls_mpi_write_binary) for
HMAC-DRBG seeding per RFC 6979. After use, the buffer was not
cleared, leaving up to 66 bytes of key material on the stack.

Add mbedtls_platform_zeroize(data, sizeof(data)) in the cleanup
path, consistent with the practice in hmac_drbg.c and rsa.c
which zeroize their sensitive local buffers.

Signed-off-by: Chakshu Gupta <chakshugupta2000@gmail.com>
@minosgalanakis minosgalanakis added bug Something isn't working needs-review Every commit must be reviewed by at least two team members needs-reviewer This PR needs someone to pick it up for review size-xs Estimated task size: extra small (a few hours at most) needs-backports Backports are missing or are pending review and approval. needs-ci Needs to pass CI tests labels Jun 4, 2026
@minosgalanakis minosgalanakis moved this to Triage in in Community Jun 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working needs-backports Backports are missing or are pending review and approval. needs-ci Needs to pass CI tests needs-review Every commit must be reviewed by at least two team members needs-reviewer This PR needs someone to pick it up for review size-xs Estimated task size: extra small (a few hours at most)

Projects

Community
Status: Triage in
Non-roadmap pull requests
Status: In Development

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ChakshuGupta13 @minosgalanakis