Wipe session ticket keys before releasing the session structure

This includes both a copy of the master key and one or two derived
keys, all of which could be used to decrypt session tickets if
stolen. The derived keys could only be used for tickets issued within
a certain time frame (by default several hours).

The documentation for gnutls_session_ticket_enable_server() already
states that the master key should be wiped before releasing it, and
the same should apply to internal copies.

Signed-off-by: Fiona Klute <fiona.klute@gmx.de>

diff --git a/lib/state.c b/lib/state.c
index 7d0a77dc95884bb956eb7ebc8bd6694c37d364ce..817a7b8cd8f21905fb487526cc8cd7f1c5bed650 100644 (file)
--- a/lib/state.c
+++ b/lib/state.c
@@ -714,6 +714,14 @@ void gnutls_deinit(gnutls_session_t session)
        /* overwrite any temp TLS1.3 keys */
        gnutls_memset(&session->key.proto, 0, sizeof(session->key.proto));
 
+       /* clear session ticket keys */
+       gnutls_memset(&session->key.session_ticket_key, 0,
+                     TICKET_MASTER_KEY_SIZE);
+       gnutls_memset(&session->key.previous_ticket_key, 0,
+                     TICKET_MASTER_KEY_SIZE);
+       gnutls_memset(&session->key.initial_stek, 0,
+                     TICKET_MASTER_KEY_SIZE);
+
        gnutls_mutex_deinit(&session->internals.post_negotiation_lock);
        gnutls_mutex_deinit(&session->internals.epoch_lock);