Skip to content

Zeroize sensitive memory in TLS KDF#429

Merged
simo5 merged 1 commit intolatchset:mainfrom
simo5:tlskdf_zeromem
Mar 11, 2026
Merged

Zeroize sensitive memory in TLS KDF#429
simo5 merged 1 commit intolatchset:mainfrom
simo5:tlskdf_zeromem

Conversation

@simo5
Copy link
Member

@simo5 simo5 commented Mar 10, 2026

Description

Implement the Drop trait for TLSKDFOperation to securely zero out the client random, server random, and session hash using zeromem. Additionally, explicitly zeroize the derived key material (dkm) buffer immediately after use. This prevents cryptographic secrets from lingering in memory, reducing the risk of data leakage.

Reviewer's checklist:

  • Any issues marked for closing are fully addressed
  • There is a test suite reasonably covering new functionality or modifications
  • This feature/change has adequate documentation added
  • A changelog entry is added if the change is significant
  • Code conform to coding style that today cannot yet be enforced via the check style test
  • Commits have short titles and sensible text
  • Doc string are properly updated

@simo5
Zeroize sensitive memory in TLS KDF
83b4441 
Implement the Drop trait for TLSKDFOperation to securely zero out the client
random, server random, and session hash using zeromem. Additionally,
explicitly zeroize the derived key material (dkm) buffer immediately after
use. This prevents cryptographic secrets from lingering in memory, reducing
the risk of data leakage.

Signed-off-by: Simo Sorce <simo@redhat.com>
@simo5 simo5 requested a review from Jakuje March 10, 2026 22:49
@simo5 simo5 merged commit c0fc5b3 into latchset:main Mar 11, 2026
50 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jakuje Jakuje Jakuje approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@simo5 @Jakuje