Merge pull request #9886 from philljj/fix_f_193

douzzer · web-flow · commit b02ddde4f2be · 2026-03-09T23:43:26.000-05:00
wc_encrypt: add missing ForceZero for Des, Arc4, Rc2.
diff --git a/wolfcrypt/src/wc_encrypt.c b/wolfcrypt/src/wc_encrypt.c
@@ -518,6 +518,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
                         wc_Des_CbcDecrypt(&des, input, input, (word32)length);
                     }
                 }
+                ForceZero(&des, sizeof(Des));
                 break;
             }
         #endif /* !NO_SHA || !NO_MD5 */
@@ -561,6 +562,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
 
                 wc_Arc4SetKey(&dec, key, derivedLen);
                 wc_Arc4Process(&dec, input, input, (word32)length);
+                ForceZero(&dec, sizeof(Arc4));
                 break;
             }
     #endif
@@ -629,9 +631,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
                     else
                         ret = wc_Rc2CbcDecrypt(&rc2, input, input, length);
                 }
-                if (ret == 0) {
-                    ForceZero(&rc2, sizeof(Rc2));
-                }
+                ForceZero(&rc2, sizeof(Rc2));
                 break;
             }
     #endif

Original file line number	Diff line number	Diff line change
`@@ -518,6 +518,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,`
`518`	`518`	`wc_Des_CbcDecrypt(&des, input, input, (word32)length);`
`519`	`519`	`}`
`520`	`520`	`}`
	`521`	`+ ForceZero(&des, sizeof(Des));`
`521`	`522`	`break;`
`522`	`523`	`}`
`523`	`524`	`#endif /* !NO_SHA \|\| !NO_MD5 */`
`@@ -561,6 +562,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,`
`561`	`562`
`562`	`563`	`wc_Arc4SetKey(&dec, key, derivedLen);`
`563`	`564`	`wc_Arc4Process(&dec, input, input, (word32)length);`
	`565`	`+ ForceZero(&dec, sizeof(Arc4));`
`564`	`566`	`break;`
`565`	`567`	`}`
`566`	`568`	`#endif`
`@@ -629,9 +631,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,`
`629`	`631`	`else`
`630`	`632`	`ret = wc_Rc2CbcDecrypt(&rc2, input, input, length);`
`631`	`633`	`}`
`632`		`- if (ret == 0) {`
`633`		`- ForceZero(&rc2, sizeof(Rc2));`
`634`		`- }`
	`634`	`+ ForceZero(&rc2, sizeof(Rc2));`
`635`	`635`	`break;`
`636`	`636`	`}`
`637`	`637`	`#endif`