Google Git
Sign in
pigweed/third_party/github/h2o/picotls/0515a537e0e215de6a652335268f41544d9bfce1^!/./lib
commit
0515a537e0e215de6a652335268f41544d9bfce1
[log]
author
Kazuho Oku <kazuhooku@gmail.com>
Fri Oct 12 17:02:03 2018 +0900
committer
Kazuho Oku <kazuhooku@gmail.com>
Fri Oct 12 17:02:03 2018 +0900
tree
53cda9e72d3ada5234a421c8e2ed39b2a619bb14
parent
fc440dd65138c0e406b9743f0c478780391f7de8 [diff]
clear the secret on stack

diff --git a/lib/picotls.c b/lib/picotls.c
index 3a884fd..04140cf 100644
--- a/lib/picotls.c
+++ b/lib/picotls.c

@@ -3247,10 +3247,13 @@
     ptls_hash_algorithm_t *hash = tls->key_schedule->hashes[0].algo;
     if ((ret = hkdf_expand_label(hash, secret, hash->digest_size, ptls_iovec_init(tp->secret, hash->digest_size), "traffic upd",
                                  ptls_iovec_init(NULL, 0), tls->key_schedule->hkdf_label_prefix)) != 0)
-        return ret;
-
+        goto Exit;
     memcpy(tp->secret, secret, sizeof(secret));
-    return setup_traffic_protection(tls, is_enc, NULL, 3, 1);
+    ret = setup_traffic_protection(tls, is_enc, NULL, 3, 1);
+
+Exit:
+    ptls_clear_memory(secret, sizeof(secret));
+    return ret;
 }
 
 static int handle_key_update(ptls_t *tls, struct st_ptls_message_emitter_t *emitter, ptls_iovec_t message)