Skip to content

Add missing ForceZero calls#9885

Merged
douzzer merged 1 commit intowolfSSL:masterfrom
Frauschi:missing_force_zero
Mar 11, 2026
Merged

Add missing ForceZero calls#9885
douzzer merged 1 commit intowolfSSL:masterfrom
Frauschi:missing_force_zero

Conversation

@Frauschi
Copy link
Copy Markdown
Contributor

@Frauschi Frauschi commented Mar 5, 2026

F-13, F-14, F-197, F-198, F-199, and F-200. All at once as these are very similar.

@Frauschi Frauschi force-pushed the missing_force_zero branch from f1a0807 to c577968 Compare March 5, 2026 17:55
@JacobBarthelmeh JacobBarthelmeh requested a review from Copilot March 5, 2026 21:06
Copilot AI reviewed Mar 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds explicit zeroization of sensitive buffers (ForceZero + optional wc_MemZero_Check) to address several missing wipe sites across TLS 1.2/1.3 key derivation paths.

Changes:

  • Ensure temporary key material in TLS 1.3 secret derivation is wiped before returning.
  • Wipe PRF/key-derivation intermediate buffers in TLS 1.2/legacy paths before freeing.
  • Introduce misc include plumbing in keys.c to make ForceZero available.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
src/tls13.c Adds cleanup path to wipe derived key buffer(s) in TLS 1.3 secret derivation.
src/tls.c Wipes PRF digest buffer before freeing in TLS key derivation.
src/keys.c Wipes multiple TLS 1.0–1.2 derivation intermediates; replaces manual loops with ForceZero; adds ForceZero include wiring.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/tls13.c
Comment thread src/keys.c
Comment thread src/keys.c
Comment thread src/tls.c
SparkiDev
SparkiDev reviewed Mar 5, 2026
View reviewed changes
Comment thread src/keys.c
@Frauschi Frauschi force-pushed the missing_force_zero branch from c577968 to e615773 Compare March 6, 2026 09:57
@philljj philljj added the For This Release Release version 5.9.1 label Mar 6, 2026
@Frauschi Frauschi force-pushed the missing_force_zero branch from e615773 to 001eae7 Compare March 6, 2026 14:22
@Frauschi Frauschi assigned wolfSSL-Bot and unassigned Frauschi Mar 10, 2026
@Frauschi Frauschi requested a review from SparkiDev March 10, 2026 05:59
@douzzer douzzer added the Staged Staged for merge pending final test results and review label Mar 10, 2026
@douzzer douzzer merged commit e4dea8f into wolfSSL:master Mar 11, 2026
451 of 452 checks passed
@Frauschi Frauschi deleted the missing_force_zero branch March 17, 2026 09:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@douzzer douzzer douzzer approved these changes

@SparkiDev SparkiDev Awaiting requested review from SparkiDev

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

For This Release Release version 5.9.1 Staged Staged for merge pending final test results and review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Frauschi @douzzer @SparkiDev @wolfSSL-Bot @philljj