Wipe session ticket keys before releasing the session structure

This includes both a copy of the master key and one or two derived keys, all of which could be used to decrypt session tickets if stolen. The derived keys could only be used for tickets issued within a certain time frame (by default several hours). The documentation for gnutls_session_ticket_enable_server() already states that the master key should be wiped before releasing it, and the same should apply to internal copies. Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
author: Fiona Klute <fiona.klute@gmx.de> 2020-06-14 12:52:46 +0200
committer: Daiki Ueno <ueno@gnu.org> 2020-08-31 08:11:04 +0200
commit: bc4f12f81e8ab2cea6b63138a2f98ee9c25f86fc (patch)
tree: a37e37da2d63146294205809f0c95c247073b898
parent: e940611cd45da7dc16b337109f03f3d9aa5b3f25 (diff)
download: gnutls-bc4f12f81e8ab2cea6b63138a2f98ee9c25f86fc.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/state.c b/lib/state.c
index 7d0a77dc95..817a7b8cd8 100644
--- a/lib/state.c
+++ b/lib/state.c
@@ -714,6 +714,14 @@ void gnutls_deinit(gnutls_session_t session)
 	/* overwrite any temp TLS1.3 keys */
 	gnutls_memset(&session->key.proto, 0, sizeof(session->key.proto));
 
+	/* clear session ticket keys */
+	gnutls_memset(&session->key.session_ticket_key, 0,
+	              TICKET_MASTER_KEY_SIZE);
+	gnutls_memset(&session->key.previous_ticket_key, 0,
+	              TICKET_MASTER_KEY_SIZE);
+	gnutls_memset(&session->key.initial_stek, 0,
+	              TICKET_MASTER_KEY_SIZE);
+
 	gnutls_mutex_deinit(&session->internals.post_negotiation_lock);
 	gnutls_mutex_deinit(&session->internals.epoch_lock);
author	Fiona Klute <fiona.klute@gmx.de>	2020-06-14 12:52:46 +0200
committer	Daiki Ueno <ueno@gnu.org>	2020-08-31 08:11:04 +0200
commit	bc4f12f81e8ab2cea6b63138a2f98ee9c25f86fc (patch)
tree	a37e37da2d63146294205809f0c95c247073b898
parent	e940611cd45da7dc16b337109f03f3d9aa5b3f25 (diff)
download	gnutls-bc4f12f81e8ab2cea6b63138a2f98ee9c25f86fc.tar.gz