From 636c64152d12f9512afdb4f441a571b1d153fdc1 Mon Sep 17 00:00:00 2001 From: Mark Atwood Date: Thu, 9 Jul 2026 16:50:48 -0700 Subject: [PATCH] fix: zeroize RSA private key before free wolfCLU_genKey_RSA frees the RSA private-key DER (derBuf) and PEM (pemBuf) buffers without wiping them first, leaving private key material in freed heap. Every other key path in this file (Dilithium, XMSS, and the ECC/Ed25519 cleanups) zeroizes before free; RSA was the outlier. Add wolfCLU_ForceZero before XFREE at both the fall-through free (when also writing the public key) and the final cleanup, guarded on size > 0 because derBufSz/pemBufSz can be negative on an error break and wolfCLU_ForceZero takes an unsigned length. Build-verified: patched src/genkey/clu_genkey.c compiles clean against an --enable-all wolfSSL install; wolfCLU_ForceZero now referenced from the RSA TU. Reported by static analysis (Fenrir finding 666). --- src/genkey/clu_genkey.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/genkey/clu_genkey.c b/src/genkey/clu_genkey.c index 7e27eef3..b6029e92 100644 --- a/src/genkey/clu_genkey.c +++ b/src/genkey/clu_genkey.c @@ -921,8 +921,12 @@ int wolfCLU_genKey_RSA(WC_RNG* rng, char* fName, int directive, int fmt, int XFCLOSE(file); file = NULL; + if (derBufSz > 0) + wolfCLU_ForceZero(derBuf, derBufSz); XFREE(derBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); derBuf = NULL; + if (pemBufSz > 0) + wolfCLU_ForceZero(pemBuf, pemBufSz); XFREE(pemBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); pemBuf = NULL; @@ -1014,9 +1018,13 @@ int wolfCLU_genKey_RSA(WC_RNG* rng, char* fName, int directive, int fmt, int fOutNameBuf = NULL; } if (derBuf != NULL) { + if (derBufSz > 0) + wolfCLU_ForceZero(derBuf, derBufSz); XFREE(derBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); } if (pemBuf != NULL) { + if (pemBufSz > 0) + wolfCLU_ForceZero(pemBuf, pemBufSz); XFREE(pemBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); } if (file != NULL) {