Wipe session ticket keys before releasing the session structure

This includes both a copy of the master key and one or two derived keys, all of which could be used to decrypt session tickets if stolen. The derived keys could only be used for tickets issued within a certain time frame (by default several hours). The documentation for gnutls_session_ticket_enable_server() already states that the master key should be wiped before releasing it, and the same should apply to internal copies. Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
author: Fiona Klute <fiona.klute@gmx.de> 2020-06-14 12:52:46 +0200
committer: Fiona Klute <fiona.klute@gmx.de> 2020-06-14 15:48:39 +0200
commit: b58696758c709b97a4b77879d2d3758c2d4bdc1f (patch)
tree: a51203b526b828bdaa613ea0f2fdf41f75b1383a
parent: 1270e81b944e1672f89d8a8b1db986535cf5b072 (diff)
download: gnutls-b58696758c709b97a4b77879d2d3758c2d4bdc1f.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/state.c b/lib/state.c
index 7d0a77dc95..817a7b8cd8 100644
--- a/lib/state.c
+++ b/lib/state.c
@@ -714,6 +714,14 @@ void gnutls_deinit(gnutls_session_t session)
 	/* overwrite any temp TLS1.3 keys */
 	gnutls_memset(&session->key.proto, 0, sizeof(session->key.proto));
 
+	/* clear session ticket keys */
+	gnutls_memset(&session->key.session_ticket_key, 0,
+	              TICKET_MASTER_KEY_SIZE);
+	gnutls_memset(&session->key.previous_ticket_key, 0,
+	              TICKET_MASTER_KEY_SIZE);
+	gnutls_memset(&session->key.initial_stek, 0,
+	              TICKET_MASTER_KEY_SIZE);
+
 	gnutls_mutex_deinit(&session->internals.post_negotiation_lock);
 	gnutls_mutex_deinit(&session->internals.epoch_lock);
author	Fiona Klute <fiona.klute@gmx.de>	2020-06-14 12:52:46 +0200
committer	Fiona Klute <fiona.klute@gmx.de>	2020-06-14 15:48:39 +0200
commit	b58696758c709b97a4b77879d2d3758c2d4bdc1f (patch)
tree	a51203b526b828bdaa613ea0f2fdf41f75b1383a
parent	1270e81b944e1672f89d8a8b1db986535cf5b072 (diff)
download	gnutls-b58696758c709b97a4b77879d2d3758c2d4bdc1f.tar.gz