From 3e39a5c11e20ddb6bcf6f74b5fa0d3cef12639d2 Mon Sep 17 00:00:00 2001
From: jordan <jordan@wolfssl.com>
Date: Thu, 5 Mar 2026 13:09:26 -0600
Subject: [PATCH 1/2] pwdbased: add missing ForceZero for blocks, v, y.

---
 wolfcrypt/src/pwdbased.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/wolfcrypt/src/pwdbased.c b/wolfcrypt/src/pwdbased.c
index 5e212b5d6cc..a6b71acc869 100644
--- a/wolfcrypt/src/pwdbased.c
+++ b/wolfcrypt/src/pwdbased.c
@@ -830,6 +830,16 @@ int wc_scrypt(byte* output, const byte* passwd, int passLen,
     ret = wc_PBKDF2(output, passwd, passLen, blocks, (int)blocksSz, 1, dkLen,
                     WC_SHA256);
 end:
+    if (blocks != NULL) {
+        ForceZero(blocks, blocksSz);
+    }
+    if (v != NULL) {
+        ForceZero(v, ((size_t)1 << cost) * (size_t)bSz);
+    }
+    if (y != NULL) {
+        ForceZero(y, (size_t)(blockSize * 128));
+    }
+
     XFREE(blocks, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(v, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(y, NULL, DYNAMIC_TYPE_TMP_BUFFER);

From 7726f5cc7f90317868a8bc659f5f2ade0a0111de Mon Sep 17 00:00:00 2001
From: jordan <jordan@wolfssl.com>
Date: Fri, 6 Mar 2026 09:59:43 -0600
Subject: [PATCH 2/2] pwdbased: fix cast warning.

---
 wolfcrypt/src/pwdbased.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wolfcrypt/src/pwdbased.c b/wolfcrypt/src/pwdbased.c
index a6b71acc869..68e3ab16355 100644
--- a/wolfcrypt/src/pwdbased.c
+++ b/wolfcrypt/src/pwdbased.c
@@ -837,7 +837,7 @@ int wc_scrypt(byte* output, const byte* passwd, int passLen,
         ForceZero(v, ((size_t)1 << cost) * (size_t)bSz);
     }
     if (y != NULL) {
-        ForceZero(y, (size_t)(blockSize * 128));
+        ForceZero(y, (size_t)blockSize * 128);
     }
 
     XFREE(blocks, NULL, DYNAMIC_TYPE_TMP_BUFFER);