From d2081b3a9eafbc376026494ea92a4753da10f157 Mon Sep 17 00:00:00 2001
From: km <km@tsukuyomi-win10.localdomain>
Date: Sat, 28 Mar 2026 07:46:51 +0900
Subject: [PATCH] security: Add proper memory zeroizing for sensitive data

- Zeroize clamped scalar 'e' in x25519_sw() before return
- Zeroize output on failure in compute_shared_secret()
- Zeroize output on failure in derive_public_key()
- Fix return value propagation in compute_shared_secret() and derive_public_key()
- Use memzero_explicit() consistently (not se050_x25519_sw_zeroize wrapper)
---
 src/se050_x25519_sw.c | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/src/se050_x25519_sw.c b/src/se050_x25519_sw.c
index 1b464df..b8f26be 100644
--- a/src/se050_x25519_sw.c
+++ b/src/se050_x25519_sw.c
@@ -584,7 +584,13 @@ int x25519_sw(uint8_t out[32], const uint8_t scalar[32], const uint8_t point[32]
     /* Step 7: reject all-zero output */
     uint8_t acc = 0;
     for (i = 0; i < 32; i++) acc |= out[i];
-    if (acc == 0) return -1;
+    if (acc == 0) {
+        memzero_explicit(e, 32);
+        return -1;
+    }
+
+    /* Zeroize clamped scalar before return */
+    memzero_explicit(e, 32);
 
     return 0;
 }
@@ -620,9 +626,13 @@ int se050_x25519_sw_compute_shared_secret(uint8_t *shared_secret,
     uint8_t clamped[32];
     memcpy(clamped, private_key, 32);
     se050_x25519_sw_clamp(clamped);
-    x25519_sw(shared_secret, clamped, peer_public);
-    se050_x25519_sw_zeroize(clamped, 32);
-    return 0;
+    int ret = x25519_sw(shared_secret, clamped, peer_public);
+    memzero_explicit(clamped, 32);
+    if (ret < 0) {
+        /* Zeroize output on failure */
+        memzero_explicit(shared_secret, 32);
+    }
+    return ret;
 }
 
 int se050_x25519_sw_derive_public_key(uint8_t *public_key,
@@ -632,9 +642,12 @@ int se050_x25519_sw_derive_public_key(uint8_t *public_key,
     uint8_t clamped[32];
     memcpy(clamped, private_key, 32);
     se050_x25519_sw_clamp(clamped);
-    x25519_sw(public_key, clamped, (const uint8_t*)"basepoint");
-    se050_x25519_sw_zeroize(clamped, 32);
-    return 0;
+    int ret = x25519_sw(public_key, clamped, (const uint8_t*)"basepoint");
+    memzero_explicit(clamped, 32);
+    if (ret < 0) {
+        memzero_explicit(public_key, 32);
+    }
+    return ret;
 }
 
 #ifdef X25519_SW_TEST