From 525b87cd720b1362d09f5e95555843dcab99b7b0 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Fri, 8 May 2026 19:43:46 +0200
Subject: [PATCH] Zeroize critical buffers.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 src/apdu.c         |  5 +++++
 src/crypto_utils.c | 33 ++++++++++++++++++++++++++++-----
 src/fs/otp.c       |  4 ++++
 3 files changed, 37 insertions(+), 5 deletions(-)

diff --git a/src/apdu.c b/src/apdu.c
index f7b1583..68ed762 100644
--- a/src/apdu.c
+++ b/src/apdu.c
@@ -45,6 +45,9 @@ int process_apdu(void) {
         }
         chain_used = (size_t)(chain_ptr - chain_buf);
         if (chain_used + apdu.nc >= sizeof(chain_buf)) {
+            memset(chain_buf, 0, sizeof(chain_buf));
+            chain_ptr = NULL;
+            is_chaining = false;
             return SW_CLA_NOT_SUPPORTED();
         }
         memcpy(chain_ptr, apdu.data, apdu.nc);
@@ -57,6 +60,8 @@ int process_apdu(void) {
             memmove(apdu.data + (chain_ptr - chain_buf), apdu.data, apdu.nc);
             memcpy(apdu.data, chain_buf, chain_ptr - chain_buf);
             apdu.nc += (uint16_t)(chain_ptr - chain_buf);
+            memset(chain_buf, 0, sizeof(chain_buf));
+            chain_ptr = NULL;
             is_chaining = false;
         }
     }
diff --git a/src/crypto_utils.c b/src/crypto_utils.c
index 9fd9af4..4e6a513 100644
--- a/src/crypto_utils.c
+++ b/src/crypto_utils.c
@@ -95,6 +95,7 @@ int encrypt_with_aad(const uint8_t key[32], const uint8_t *in_buf, size_t in_len
         pin_derive_kenc(key, kenc);
     }
     else {
+        mbedtls_gcm_free(&gcm);
         return PICOKEYS_WRONG_DATA;
     }
     int rc = mbedtls_gcm_setkey(&gcm, MBEDTLS_CIPHER_ID_AES, kenc, 256);
@@ -127,6 +128,7 @@ int decrypt_with_aad(const uint8_t key[32], const uint8_t *in_buf, size_t in_len
         pin_derive_kenc(key, kenc);
     }
     else {
+        mbedtls_gcm_free(&gcm);
         return PICOKEYS_WRONG_DATA;
     }
     int rc = mbedtls_gcm_setkey(&gcm, MBEDTLS_CIPHER_ID_AES, kenc, 256);
@@ -196,12 +198,20 @@ int aes_encrypt(const uint8_t *key, const uint8_t *iv, uint16_t key_size, int mo
     }
     int r = mbedtls_aes_setkey_enc(&aes, key, key_size);
     if (r != 0) {
+        mbedtls_aes_free(&aes);
+        mbedtls_platform_zeroize(tmp_iv, sizeof(tmp_iv));
         return PICOKEYS_EXEC_ERROR;
     }
+    int rc = 0;
     if (mode == PICOKEYS_AES_MODE_CBC) {
-        return mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_ENCRYPT, len, tmp_iv, data, data);
+        rc = mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_ENCRYPT, len, tmp_iv, data, data);
     }
-    return mbedtls_aes_crypt_cfb128(&aes, MBEDTLS_AES_ENCRYPT, len, &iv_offset, tmp_iv, data, data);
+    else {
+        rc = mbedtls_aes_crypt_cfb128(&aes, MBEDTLS_AES_ENCRYPT, len, &iv_offset, tmp_iv, data, data);
+    }
+    mbedtls_aes_free(&aes);
+    mbedtls_platform_zeroize(tmp_iv, sizeof(tmp_iv));
+    return rc;
 }
 
 int aes_decrypt(const uint8_t *key, const uint8_t *iv, uint16_t key_size, int mode, uint8_t *data, uint16_t len) {
@@ -215,13 +225,26 @@ int aes_decrypt(const uint8_t *key, const uint8_t *iv, uint16_t key_size, int mo
     }
     int r = mbedtls_aes_setkey_dec(&aes, key, key_size);
     if (r != 0) {
+        mbedtls_aes_free(&aes);
+        mbedtls_platform_zeroize(tmp_iv, sizeof(tmp_iv));
         return PICOKEYS_EXEC_ERROR;
     }
+    int rc = 0;
     if (mode == PICOKEYS_AES_MODE_CBC) {
-        return mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_DECRYPT, len, tmp_iv, data, data);
+        rc = mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_DECRYPT, len, tmp_iv, data, data);
     }
-    r = mbedtls_aes_setkey_enc(&aes, key, key_size); //CFB requires set_enc instead set_dec
-    return mbedtls_aes_crypt_cfb128(&aes, MBEDTLS_AES_DECRYPT, len, &iv_offset, tmp_iv, data, data);
+    else {
+        r = mbedtls_aes_setkey_enc(&aes, key, key_size); //CFB requires set_enc instead set_dec
+        if (r != 0) {
+            mbedtls_aes_free(&aes);
+            mbedtls_platform_zeroize(tmp_iv, sizeof(tmp_iv));
+            return PICOKEYS_EXEC_ERROR;
+        }
+        rc = mbedtls_aes_crypt_cfb128(&aes, MBEDTLS_AES_DECRYPT, len, &iv_offset, tmp_iv, data, data);
+    }
+    mbedtls_aes_free(&aes);
+    mbedtls_platform_zeroize(tmp_iv, sizeof(tmp_iv));
+    return rc;
 }
 
 int aes_encrypt_cfb_256(const uint8_t *key, const uint8_t *iv, uint8_t *data, uint16_t len) {
diff --git a/src/fs/otp.c b/src/fs/otp.c
index 0c07ca6..a507cfa 100644
--- a/src/fs/otp.c
+++ b/src/fs/otp.c
@@ -475,6 +475,7 @@ static void otp_invalidate_key(uint16_t row, uint16_t len) {
         if (inval) {
             memset(inval, 0xFF, len * 2);
             otp_write_data_raw(row, inval, len * 2);
+            mbedtls_platform_zeroize(inval, len * 2);
             free(inval);
         }
     }
@@ -489,6 +490,7 @@ static otp_ret_t otp_chaff(uint16_t row, uint16_t len) {
             chaff[i] ^= 0xFF;
         }
         otp_ret_t ret = otp_write_data_raw(row + 32, chaff, len * 2);
+        mbedtls_platform_zeroize(chaff, len * 2);
         free(chaff);
         return ret;
     }
@@ -506,6 +508,7 @@ static otp_ret_t otp_migrate_key(uint16_t new_row, uint16_t old_row, uint16_t le
                 otp_chaff(new_row, len);
                 otp_invalidate_key(old_row, 32);
             }
+            mbedtls_platform_zeroize(new_key, len);
             free(new_key);
             return ret;
         }
@@ -539,6 +542,7 @@ void otp_init_files(void) {
 #ifdef PICO_RP2350
         otp_chaff(OTP_KEY_1, 32);
 #endif
+        mbedtls_platform_zeroize(mkek, sizeof(mkek));
         write_otp[0] = OTP_KEY_1;
     }
     OTP_READ(OTP_KEY_1, otp_key_1);