From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 8 Apr 2019 14:42:08 +0000 (+0000)
Subject: - Fix to wipe ssl ticket keys from memory with explicit_bzero,
X-Git-Tag: final-svn-state~22
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bd3c02bd59922626b6a4bfff4600b7786d9382e4;p=thirdparty%2Funbound.git

- Fix to wipe ssl ticket keys from memory with explicit_bzero,
  if available.


git-svn-id: file:///svn/unbound/trunk@5153 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/doc/Changelog b/doc/Changelog
index bb09fa39a..0d110b214 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -7,6 +7,8 @@
 	  multicast DNS [RFC 6762] via Avahi.  The plugin communicates
 	  with Avahi via DBus. The comment section at the beginning of
 	  the file contains detailed documentation.
+	- Fix to wipe ssl ticket keys from memory with explicit_bzero,
+	  if available.
 
 5 April 2019: Wouter
 	- Fix to reinit event structure for accepted TCP (and TLS) sockets.
diff --git a/util/net_help.c b/util/net_help.c
index a6c3fd5cc..13bcdf808 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -1245,7 +1245,12 @@ listen_sslctx_delete_ticket_keys(void)
 	struct tls_session_ticket_key *key;
 	if(!ticket_keys) return;
 	for(key = ticket_keys; key->key_name != NULL; key++) {
-		memset(key->key_name, 0xdd, 80); /* wipe key data from memory*/
+		/* wipe key data from memory*/
+#ifdef HAVE_EXPLICIT_BZERO
+		explicit_bzero(key->key_name, 80);
+#else
+		memset(key->key_name, 0xdd, 80);
+#endif
 		free(key->key_name);
 	}
 	free(ticket_keys);