Add ForceZero to PBKDF2 and PKCS12 PBE

LinuxJedi · LinuxJedi · commit 4db2f371586f · 2026-03-21T11:05:59.000Z
F-489
diff --git a/src/crypto.c b/src/crypto.c
@@ -6643,6 +6643,7 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,
                              hashType);
 
             if (ret != 0) {
+                wc_ForceZero(derivedKey, derivedKeyLen);
                 XFREE(derivedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
                 return CKR_FUNCTION_FAILED;
             }
@@ -6668,6 +6669,7 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,
                 }
             }
 
+            wc_ForceZero(derivedKey, derivedKeyLen);
             XFREE(derivedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
             return rv;
         }
@@ -6738,6 +6740,7 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,
                                   (int)derivedKeyLen, hashType);
 
             if (ret != 0) {
+                wc_ForceZero(derivedKey, derivedKeyLen);
                 XFREE(derivedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
                 return CKR_FUNCTION_FAILED;
             }
@@ -6763,6 +6766,7 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,
                 }
             }
 
+            wc_ForceZero(derivedKey, derivedKeyLen);
             XFREE(derivedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
             return rv;
         }

Original file line number	Diff line number	Diff line change
`@@ -6643,6 +6643,7 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,`
`6643`	`6643`	`hashType);`
`6644`	`6644`
`6645`	`6645`	`if (ret != 0) {`
	`6646`	`+ wc_ForceZero(derivedKey, derivedKeyLen);`
`6646`	`6647`	`XFREE(derivedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);`
`6647`	`6648`	`return CKR_FUNCTION_FAILED;`
`6648`	`6649`	`}`
`@@ -6668,6 +6669,7 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,`
`6668`	`6669`	`}`
`6669`	`6670`	`}`
`6670`	`6671`
	`6672`	`+ wc_ForceZero(derivedKey, derivedKeyLen);`
`6671`	`6673`	`XFREE(derivedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);`
`6672`	`6674`	`return rv;`
`6673`	`6675`	`}`
`@@ -6738,6 +6740,7 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,`
`6738`	`6740`	`(int)derivedKeyLen, hashType);`
`6739`	`6741`
`6740`	`6742`	`if (ret != 0) {`
	`6743`	`+ wc_ForceZero(derivedKey, derivedKeyLen);`
`6741`	`6744`	`XFREE(derivedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);`
`6742`	`6745`	`return CKR_FUNCTION_FAILED;`
`6743`	`6746`	`}`
`@@ -6763,6 +6766,7 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,`
`6763`	`6766`	`}`
`6764`	`6767`	`}`
`6765`	`6768`
	`6769`	`+ wc_ForceZero(derivedKey, derivedKeyLen);`
`6766`	`6770`	`XFREE(derivedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);`
`6767`	`6771`	`return rv;`
`6768`	`6772`	`}`