Zeroize hkdf_label buffer Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>

commit: 1b0ebdf363ec3b1bed09ece351bedaa820c0d16f [log] [tgz]
author: Przemek Stekiel <przemyslaw.stekiel@mobica.com> Thu Jun 23 09:22:49 2022 +0200
committer: Przemek Stekiel <przemyslaw.stekiel@mobica.com> Thu Jun 23 09:22:49 2022 +0200
tree: 833d489a4630c543011325593163dc176331544e
parent: 38ab400dc4f958d1a0a335e8a0429ffef89fb4b8 [diff] [blame]
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index e503f98..d4a8e46 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c

@@ -145,7 +145,7 @@
                      unsigned char *buf, size_t buf_len )
 {
     unsigned char hkdf_label[ SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN ];
-    size_t hkdf_label_len;
+    size_t hkdf_label_len = 0;
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_derivation_operation_t operation =
@@ -211,6 +211,7 @@
 cleanup:
     abort_status = psa_key_derivation_abort( &operation );
     status = ( status == PSA_SUCCESS ? abort_status : status );
+    mbedtls_platform_zeroize( hkdf_label, hkdf_label_len );
     return( psa_ssl_status_to_mbedtls ( status ) );
 }
commit	1b0ebdf363ec3b1bed09ece351bedaa820c0d16f	[log] [tgz]
author	Przemek Stekiel <przemyslaw.stekiel@mobica.com>	Thu Jun 23 09:22:49 2022 +0200
committer	Przemek Stekiel <przemyslaw.stekiel@mobica.com>	Thu Jun 23 09:22:49 2022 +0200
tree	833d489a4630c543011325593163dc176331544e
parent	38ab400dc4f958d1a0a335e8a0429ffef89fb4b8 [diff] [blame]