wolfcrypt: zero sensitive buffers

JeremiahM37 · JeremiahM37 · commit 63f0707f5ab5 · 2026-05-06T16:01:03.000Z
diff --git a/wolfcrypt/src/camellia.c b/wolfcrypt/src/camellia.c
@@ -1634,5 +1634,13 @@ int wc_CamelliaCbcDecrypt(wc_Camellia* cam, byte* out, const byte* in, word32 sz
 }
 
 
+void wc_CamelliaFree(wc_Camellia* cam)
+{
+    if (cam == NULL)
+        return;
+    ForceZero(cam, sizeof(wc_Camellia));
+}
+
+
 #endif /* HAVE_CAMELLIA */
 
diff --git a/wolfcrypt/src/curve25519.c b/wolfcrypt/src/curve25519.c
@@ -250,7 +250,7 @@ static int curve25519_smul_blind(byte* rp, const byte* n, const byte* p,
     for (cnt = 0; cnt < WOLFSSL_CURVE25519_BLINDING_RAND_CNT; cnt++) {
         ret = wc_RNG_GenerateBlock(rng, rz, sizeof(rz));
         if (ret < 0) {
-            return ret;
+            goto cleanup;
         }
         for (i = CURVE25519_KEYSIZE - 1; i >= 0; i--) {
             if (rz[i] != 0xff)
@@ -261,13 +261,14 @@ static int curve25519_smul_blind(byte* rp, const byte* n, const byte* p,
         }
     }
     if (cnt == WOLFSSL_CURVE25519_BLINDING_RAND_CNT) {
-        return RNG_FAILURE_E;
+        ret = RNG_FAILURE_E;
+        goto cleanup;
     }
 
     /* Generate 253 random bits. */
     ret = wc_RNG_GenerateBlock(rng, a, sizeof(a));
     if (ret != 0)
-        return ret;
+        goto cleanup;
     a[CURVE25519_KEYSIZE-1] &= 0x7f;
     /* k' = k ^ 2k ^ a */
     n_a[0] = n[0] ^ (byte)(n[0] << 1) ^ a[0];
@@ -281,6 +282,11 @@ static int curve25519_smul_blind(byte* rp, const byte* n, const byte* p,
     /* Scalar multiple blinded scalar with blinding value. */
     ret = curve25519_blind(rp, n_a, a, p, rz);
 
+cleanup:
+    ForceZero(a, sizeof(a));
+    ForceZero(n_a, sizeof(n_a));
+    ForceZero(rz, sizeof(rz));
+
     RESTORE_VECTOR_REGISTERS();
 
     return ret;
diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c
@@ -3016,6 +3016,9 @@ int wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(WOLFSSL_EVP_PKEY_CTX* ctx,
     }
 
     if (ret == WOLFSSL_SUCCESS) {
+        if (ctx->pkey->hkdfKey != NULL && ctx->pkey->hkdfKeySz > 0) {
+            ForceZero(ctx->pkey->hkdfKey, ctx->pkey->hkdfKeySz);
+        }
         XFREE(ctx->pkey->hkdfKey, NULL, DYNAMIC_TYPE_KEY);
         ctx->pkey->hkdfKey = (byte*)XMALLOC((size_t)keySz, NULL,
             DYNAMIC_TYPE_KEY);
@@ -11778,6 +11781,9 @@ void wolfSSL_EVP_PKEY_free(WOLFSSL_EVP_PKEY* key)
                 case WC_EVP_PKEY_HKDF:
                     XFREE(key->hkdfSalt, NULL, DYNAMIC_TYPE_SALT);
                     key->hkdfSalt = NULL;
+                    if (key->hkdfKey != NULL && key->hkdfKeySz > 0) {
+                        ForceZero(key->hkdfKey, key->hkdfKeySz);
+                    }
                     XFREE(key->hkdfKey, NULL, DYNAMIC_TYPE_KEY);
                     key->hkdfKey = NULL;
                     XFREE(key->hkdfInfo, NULL, DYNAMIC_TYPE_INFO);
diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
@@ -584,7 +584,6 @@ static int Hash_DRBG_Reseed(DRBG_internal* drbg, const byte* seed, word32 seedSz
                 additional, additionalSz);
     if (ret == DRBG_SUCCESS) {
         XMEMCPY(drbg->V, newV, sizeof(drbg->V));
-        ForceZero(newV, DRBG_SEED_LEN);
 
         ret = Hash_df(drbg, drbg->C, sizeof(drbg->C), drbgInitC, drbg->V,
                                     sizeof(drbg->V), NULL, 0, NULL, 0);
@@ -593,6 +592,8 @@ static int Hash_DRBG_Reseed(DRBG_internal* drbg, const byte* seed, word32 seedSz
         drbg->reseedCtr = 1;
     }
 
+    ForceZero(newV, DRBG_SEED_LEN);
+
 #ifndef WOLFSSL_SMALL_STACK_CACHE
     WC_FREE_VAR_EX(newV, drbg->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
@@ -1177,7 +1178,6 @@ static int Hash512_DRBG_Reseed(DRBG_SHA512_internal* drbg, const byte* seed,
                 additional, additionalSz);
     if (ret == DRBG_SUCCESS) {
         XMEMCPY(drbg->V, newV, sizeof(drbg->V));
-        ForceZero(newV, DRBG_SHA512_SEED_LEN);
 
         ret = Hash512_df(drbg, drbg->C, sizeof(drbg->C), drbgInitC, drbg->V,
                                     sizeof(drbg->V), NULL, 0,
@@ -1187,6 +1187,8 @@ static int Hash512_DRBG_Reseed(DRBG_SHA512_internal* drbg, const byte* seed,
         drbg->reseedCtr = 1;
     }
 
+    ForceZero(newV, DRBG_SHA512_SEED_LEN);
+
 #ifndef WOLFSSL_SMALL_STACK_CACHE
     WC_FREE_VAR_EX(newV, drbg->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c
@@ -1398,6 +1398,7 @@ static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock,
     /* generate random seed */
     if ((ret = wc_RNG_GenerateBlock(rng, seed, hLen)) != 0) {
             WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+            ForceZero(seed, hLen);
             WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
         return ret;
     }
@@ -1408,6 +1409,7 @@ static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock,
     if (dbMask == NULL) {
 
             XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+            ForceZero(seed, hLen);
             XFREE(seed,  heap, DYNAMIC_TYPE_RSA_BUFFER);
         return MEMORY_E;
     }
@@ -1421,6 +1423,7 @@ static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock,
     if (ret != 0) {
             WC_FREE_VAR_EX(dbMask, heap, DYNAMIC_TYPE_RSA);
             WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+            ForceZero(seed, hLen);
             WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
         return ret;
     }
@@ -1435,6 +1438,7 @@ static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock,
     if ((ret = RsaMGF(mgf, pkcsBlock + hLen + 1, pkcsBlockLen - hLen - 1,
                                            pkcsBlock + 1, hLen, heap)) != 0) {
             WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+            ForceZero(seed, hLen);
             WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
         return ret;
     }
diff --git a/wolfcrypt/src/wc_slhdsa.c b/wolfcrypt/src/wc_slhdsa.c
@@ -7261,6 +7261,8 @@ int wc_SlhDsaKey_Sign(SlhDsaKey* key, const byte* ctx, byte ctxSz,
             sigSz, addRnd);
     }
 
+    ForceZero(addRnd, sizeof(addRnd));
+
     return ret;
 }
 
@@ -8056,6 +8058,8 @@ int wc_SlhDsaKey_SignHash(SlhDsaKey* key, const byte* ctx, byte ctxSz,
             hashType, sig, sigSz, addRnd);
     }
 
+    ForceZero(addRnd, sizeof(addRnd));
+
     return ret;
 }
 #endif /* !WOLFSSL_SLHDSA_VERIFY_ONLY */
diff --git a/wolfssl/wolfcrypt/camellia.h b/wolfssl/wolfcrypt/camellia.h
@@ -90,6 +90,7 @@ WOLFSSL_API int wc_CamelliaCbcEncrypt(wc_Camellia* cam,
                                           byte* out, const byte* in, word32 sz);
 WOLFSSL_API int wc_CamelliaCbcDecrypt(wc_Camellia* cam,
                                           byte* out, const byte* in, word32 sz);
+WOLFSSL_API void wc_CamelliaFree(wc_Camellia* cam);
 
 #ifndef OPENSSL_COEXIST
 

Original file line number	Diff line number	Diff line change
`@@ -7261,6 +7261,8 @@ int wc_SlhDsaKey_Sign(SlhDsaKey* key, const byte* ctx, byte ctxSz,`
`7261`	`7261`	`sigSz, addRnd);`
`7262`	`7262`	`}`
`7263`	`7263`
	`7264`	`+ ForceZero(addRnd, sizeof(addRnd));`
	`7265`	`+`
`7264`	`7266`	`return ret;`
`7265`	`7267`	`}`
`7266`	`7268`
`@@ -8056,6 +8058,8 @@ int wc_SlhDsaKey_SignHash(SlhDsaKey* key, const byte* ctx, byte ctxSz,`
`8056`	`8058`	`hashType, sig, sigSz, addRnd);`
`8057`	`8059`	`}`
`8058`	`8060`
	`8061`	`+ ForceZero(addRnd, sizeof(addRnd));`
	`8062`	`+`
`8059`	`8063`	`return ret;`
`8060`	`8064`	`}`
`8061`	`8065`	`#endif /* !WOLFSSL_SLHDSA_VERIFY_ONLY */`