Zeroize preMasterSecret in hybrid PQ/T error cases

Fixes zd#21310, reported by YUE LI (Peking University)
This commit is contained in:
Tobias Frauenschläger
2026-03-09 10:31:14 +01:00
parent b3f08f33b8
commit a4cd2f5f88
+22
View File
@@ -9985,6 +9985,17 @@ static int TLSX_KeyShare_ProcessPqcHybridClient(WOLFSSL* ssl,
ssl->arrays->preMasterSz = ssSzEcc + ssSzPqc;
}
else
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret != WC_NO_ERR_TRACE(WC_PENDING_E))
#endif
{
/* Clear the pre master secret buffer to prevent leaking any
* intermediate keys in the error case. Do not use preMasterSz
* here as it may already been set to the ECC shared secret size,
* which would be too small due to the PQC offset case. */
ForceZero(ssl->arrays->preMasterSecret, ENCRYPT_LEN);
}
TLSX_KeyShare_FreeAll(ecc_kse, ssl->heap);
TLSX_KeyShare_FreeAll(pqc_kse, ssl->heap);
@@ -10721,6 +10732,17 @@ static int TLSX_KeyShare_HandlePqcHybridKeyServer(WOLFSSL* ssl,
* the server side. */
ssl->namedGroup = keyShareEntry->group;
}
else
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret != WC_NO_ERR_TRACE(WC_PENDING_E))
#endif
{
/* Clear the pre master secret buffer to prevent leaking any
* intermediate keys in the error case. Do not use preMasterSz
* here as it may already been set to the ECC shared secret size,
* which would be too small due to the PQC offset case. */
ForceZero(ssl->arrays->preMasterSecret, ENCRYPT_LEN);
}
TLSX_KeyShare_FreeAll(ecc_kse, ssl->heap);
TLSX_KeyShare_FreeAll(pqc_kse, ssl->heap);