RFC 7748 states we may fail if the derived key is all-zero, RFC 8446 states we MUST.
In the OpenSSL backend we do the check (to be accurate OpenSSL does), but we have not been doing anything on the side of minicrypto and boringssl.
This implements the checks, as well as fixing memory leaks that happen when an error is returned from the derivation function (minicrypto), clearing secrets used (boringssl).
RFC 7748 states we may fail if the derived key is all-zero, RFC 8446 states we MUST.
In the OpenSSL backend we do the check (to be accurate OpenSSL does), but we have not been doing anything on the side of minicrypto and boringssl.
This implements the checks, as well as fixing memory leaks that happen when an error is returned from the derivation function (minicrypto), clearing secrets used (boringssl).