From ecb95bea1da239175d73041dd542777de6742e61 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 11 Aug 2023 16:41:04 +0100 Subject: [PATCH 1/2] Fix incorrect size used for zeroization of buffer Signed-off-by: Paul Elliott --- library/ssl_tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6ed8a863e9..7a1f85531f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7722,7 +7722,7 @@ static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx, MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len); - mbedtls_platform_zeroize(padbuf, sizeof(padbuf)); + mbedtls_platform_zeroize(padbuf, hlen); MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); From 83ae22dbbdf75e55bd9b57f366e29855c39e7453 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 11 Aug 2023 16:46:15 +0100 Subject: [PATCH 2/2] Add Changelog entry Signed-off-by: Paul Elliott --- ChangeLog.d/fix-tls-padbuf-zeroization | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/fix-tls-padbuf-zeroization diff --git a/ChangeLog.d/fix-tls-padbuf-zeroization b/ChangeLog.d/fix-tls-padbuf-zeroization new file mode 100644 index 0000000000..36451cb4bb --- /dev/null +++ b/ChangeLog.d/fix-tls-padbuf-zeroization @@ -0,0 +1,4 @@ +Security + * Fix a case where potentially sensitive information held in memory would not + be completely zeroized during TLS 1.2 handshake, in both server and client + configurations.