From bc4f12f81e8ab2cea6b63138a2f98ee9c25f86fc Mon Sep 17 00:00:00 2001
From: Fiona Klute <fiona.klute@gmx.de>
Date: Sun, 14 Jun 2020 12:52:46 +0200
Subject: Wipe session ticket keys before releasing the session structure

This includes both a copy of the master key and one or two derived
keys, all of which could be used to decrypt session tickets if
stolen. The derived keys could only be used for tickets issued within
a certain time frame (by default several hours).

The documentation for gnutls_session_ticket_enable_server() already
states that the master key should be wiped before releasing it, and
the same should apply to internal copies.

Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
---
 lib/state.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/state.c b/lib/state.c
index 7d0a77dc95..817a7b8cd8 100644
--- a/lib/state.c
+++ b/lib/state.c
@@ -714,6 +714,14 @@ void gnutls_deinit(gnutls_session_t session)
 	/* overwrite any temp TLS1.3 keys */
 	gnutls_memset(&session->key.proto, 0, sizeof(session->key.proto));
 
+	/* clear session ticket keys */
+	gnutls_memset(&session->key.session_ticket_key, 0,
+	              TICKET_MASTER_KEY_SIZE);
+	gnutls_memset(&session->key.previous_ticket_key, 0,
+	              TICKET_MASTER_KEY_SIZE);
+	gnutls_memset(&session->key.initial_stek, 0,
+	              TICKET_MASTER_KEY_SIZE);
+
 	gnutls_mutex_deinit(&session->internals.post_negotiation_lock);
 	gnutls_mutex_deinit(&session->internals.epoch_lock);
 
-- 
cgit v1.2.1