fix out-of-order ForceZero()s in wc_HKDF_Extract(), wc_HKDF_Expand(), and wc_SSH_KDF() (fixes 844e961ff5).

2025-12-18 15:35:10 -06:00
parent 9160ac04fd
commit 2cf1253c54
2 changed files with 3 additions and 3 deletions
--- a/wolfcrypt/src/hmac.c
+++ b/wolfcrypt/src/hmac.c
@@ -1279,8 +1279,8 @@ int wolfSSL_GetHmacMaxSize(void)
                ret = wc_HmacUpdate(&myHmac, inKey, inKeySz);
            if (ret == 0)
                ret = wc_HmacFinal(&myHmac,  out);
-            ForceZero(&myHmac, sizeof(myHmac));
            wc_HmacFree(&myHmac);
+            ForceZero(&myHmac, sizeof(myHmac));
        }

        return ret;
@@ -1345,8 +1345,8 @@ int wolfSSL_GetHmacMaxSize(void)
            n++;
        }

-        ForceZero(&myHmac, sizeof(myHmac));
        wc_HmacFree(&myHmac);
+        ForceZero(&myHmac, sizeof(myHmac));

        return ret;
    }
--- a/wolfcrypt/src/kdf.c
+++ b/wolfcrypt/src/kdf.c
@@ -734,8 +734,8 @@ int wc_SSH_KDF(byte hashId, byte keyId, byte* key, word32 keySz,
        }
    }

-    ForceZero(&hash, sizeof(hash));
    _HashFree(enmhashId, &hash);
+    ForceZero(&hash, sizeof(hash));

    return ret;
 }