From dd2c5a7d2ef8d839e06ef07c571893fe2f0c4da0 Mon Sep 17 00:00:00 2001
From: jordan <jordan@wolfssl.com>
Date: Thu, 5 Mar 2026 14:24:20 -0600
Subject: [PATCH] hmac: add missing ForceZero for tmp, prk.

---
 wolfcrypt/src/hmac.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/wolfcrypt/src/hmac.c b/wolfcrypt/src/hmac.c
index f42292f8eec..fa9b9aaecf6 100644
--- a/wolfcrypt/src/hmac.c
+++ b/wolfcrypt/src/hmac.c
@@ -1679,6 +1679,7 @@ int wolfSSL_GetHmacMaxSize(void)
             n++;
         }
 
+        ForceZero(tmp, WC_MAX_DIGEST_SIZE);
         wc_HmacFree(myHmac);
         WC_FREE_VAR_EX(myHmac, NULL, DYNAMIC_TYPE_HMAC);
 
@@ -1734,11 +1735,12 @@ int wolfSSL_GetHmacMaxSize(void)
 
         ret = wc_HKDF_Extract_ex(type, salt, saltSz, inKey, inKeySz, prk, heap,
                                  devId);
-        if (ret != 0)
-            return ret;
-
-        return wc_HKDF_Expand_ex(type, prk, hashSz, info, infoSz, out, outSz,
-                                 heap, devId);
+        if (ret == 0) {
+            ret = wc_HKDF_Expand_ex(type, prk, hashSz, info, infoSz,
+                                    out, outSz, heap, devId);
+        }
+        ForceZero(prk, WC_MAX_DIGEST_SIZE);
+        return ret;
     }
 
     int wc_HKDF(int type, const byte* inKey, word32 inKeySz, const byte* salt,