Skip to content

fix: zeroize RSA private key before free#273

Open
MarkAtwood wants to merge 1 commit into
wolfSSL:mainfrom
MarkAtwood:fix/rsa-genkey-zeroize-before-free
Open

fix: zeroize RSA private key before free#273
MarkAtwood wants to merge 1 commit into
wolfSSL:mainfrom
MarkAtwood:fix/rsa-genkey-zeroize-before-free

Conversation

@MarkAtwood

Copy link
Copy Markdown

Bug

wolfCLU_genKey_RSA (src/genkey/clu_genkey.c) frees the RSA private-key DER buffer (derBuf) and PEM buffer (pemBuf) with bare XFREE, leaving private key material in freed heap. There are ZERO wolfCLU_ForceZero calls anywhere in the RSA function, while every other key path in the same file (Dilithium, XMSS, ECC/Ed25519 cleanups — 30+ ForceZero sites) wipes before free. RSA was the outlier.

Two sites are affected, both holding the just-written private key:

  • the fall-through free when flagOutputPub == 1 (also emitting the public key)
  • the final cleanup block

Fix

Add wolfCLU_ForceZero before each XFREE, matching the in-file Dilithium precedent. Guarded on size > 0 because derBufSz/pemBufSz can be negative on an error break (e.g. a failed wc_RsaKeyToDer) and wolfCLU_ForceZero takes an unsigned int length — a bare call would overwrite past the allocation. wolfCLU_ForceZero is already declared in wolfclu/clu_header_main.h and defined in src/tools/clu_funcs.c; no new include. Both hunks stay inside the existing #ifndef NO_RSA region.

Verification

Patched src/genkey/clu_genkey.c compiles clean (gcc -c) against an --enable-all wolfSSL install; nm shows wolfCLU_ForceZero now referenced from the RSA TU and wolfCLU_genKey_RSA defined.

Reported by static analysis (Fenrir finding 666).

wolfCLU_genKey_RSA frees the RSA private-key DER (derBuf) and PEM
(pemBuf) buffers without wiping them first, leaving private key
material in freed heap. Every other key path in this file (Dilithium,
XMSS, and the ECC/Ed25519 cleanups) zeroizes before free; RSA was the
outlier.

Add wolfCLU_ForceZero before XFREE at both the fall-through free (when
also writing the public key) and the final cleanup, guarded on size > 0
because derBufSz/pemBufSz can be negative on an error break and
wolfCLU_ForceZero takes an unsigned length.

Build-verified: patched src/genkey/clu_genkey.c compiles clean against
an --enable-all wolfSSL install; wolfCLU_ForceZero now referenced from
the RSA TU. Reported by static analysis (Fenrir finding 666).
Copilot AI review requested due to automatic review settings July 9, 2026 23:51

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.

This PR hardens RSA key generation cleanup by zeroizing RSA private-key buffers before freeing them, aligning RSA behavior with other key types in the same file.

Changes:

  • Add wolfCLU_ForceZero() calls before XFREE() for derBuf and pemBuf in the flagOutputPub == 1 fall-through cleanup.
  • Add wolfCLU_ForceZero() calls before XFREE() for derBuf and pemBuf in the final cleanup block.
  • Guard zeroization on *_BufSz > 0 to avoid unsigned-length issues on error paths.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/genkey/clu_genkey.c
Comment on lines +924 to 930
if (derBufSz > 0)
wolfCLU_ForceZero(derBuf, derBufSz);
XFREE(derBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
derBuf = NULL;
if (pemBufSz > 0)
wolfCLU_ForceZero(pemBuf, pemBufSz);
XFREE(pemBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
Comment thread src/genkey/clu_genkey.c
Comment on lines +1021 to +1022
if (derBufSz > 0)
wolfCLU_ForceZero(derBuf, derBufSz);
Comment thread src/genkey/clu_genkey.c
Comment on lines +1026 to +1027
if (pemBufSz > 0)
wolfCLU_ForceZero(pemBuf, pemBufSz);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants