Fix invalid preprocessor guard in PKCS7 with SHA224

Frauschi · Frauschi · commit f55ebd58ac0b · 2026-04-13T16:34:23.000+02:00
Also add missing ForceZero for ECDH shared secret on the heap.
diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
@@ -7771,7 +7771,7 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, WC_RNG* rng,
             kdfType = WC_HASH_TYPE_SHA;
             break;
     #endif
-    #ifndef WOLFSSL_SHA224
+    #ifdef WOLFSSL_SHA224
         case dhSinglePass_stdDH_sha224kdf_scheme:
             kdfType = WC_HASH_TYPE_SHA224;
             break;
@@ -7793,6 +7793,7 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, WC_RNG* rng,
     #endif
         default:
             WOLFSSL_MSG("Unsupported key agreement algorithm");
+            ForceZero(secret, secretSz);
             XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7);
             return BAD_FUNC_ARG;
     };
@@ -7805,6 +7806,7 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, WC_RNG* rng,
     ret = NOT_COMPILED_IN;
 #endif
 
+    ForceZero(secret, secretSz);
     XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7);
     return ret;
 }
