TLS 1.3: pre-master secret zeroizing

2022-05-18 08:47:57 +10:00
parent c9ae021427
commit 2f91028f2d
2 changed files with 6 additions and 0 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -6697,6 +6697,7 @@ void FreeArrays(WOLFSSL* ssl, int keep)
            ssl->session->sessionIDSz = ssl->arrays->sessionIDSz;
        }
        if (ssl->arrays->preMasterSecret) {
+            ForceZero(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz);
            XFREE(ssl->arrays->preMasterSecret, ssl->heap, DYNAMIC_TYPE_SECRET);
            ssl->arrays->preMasterSecret = NULL;
        }
--- a/src/tls13.c
+++ b/src/tls13.c
@ -7164,6 +7164,8 @@ static int SendTls13Finished(WOLFSSL* ssl)
        /* Can send application data now. */
        if ((ret = DeriveMasterSecret(ssl)) != 0)
            return ret;
+        /* Last use of preMasterSecret - zeroize as soon as possible. */
+        ForceZero(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz);
 #ifdef WOLFSSL_EARLY_DATA
        if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_SIDE_ONLY, 1))
                                                                         != 0) {
@ -8425,6 +8427,9 @@ int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
            if (type == finished) {
                if ((ret = DeriveMasterSecret(ssl)) != 0)
                    return ret;
+                /* Last use of preMasterSecret - zeroize as soon as possible. */
+                ForceZero(ssl->arrays->preMasterSecret,
+                    ssl->arrays->preMasterSz);
        #ifdef WOLFSSL_EARLY_DATA
                if ((ret = DeriveTls13Keys(ssl, traffic_key,
                                    ENCRYPT_AND_DECRYPT_SIDE,