Secure-clear key material on free and stack

JeremiahM37 · JeremiahM37 · commit eba09b8621f3 · 2026-04-07T17:18:46.000Z
diff --git a/src/wp_dec_epki2pki.c b/src/wp_dec_epki2pki.c
@@ -261,7 +261,7 @@ static int wp_epki2pki_decode(wp_Epki2Pki* ctx, OSSL_CORE_BIO* coreBio,
     }
 
     /* Dispose of the EPKI data buffer. */
-    OPENSSL_free(data);
+    OPENSSL_clear_free(data, len);
 
     OPENSSL_cleanse(password, sizeof(password));
 
diff --git a/src/wp_ecx_exch.c b/src/wp_ecx_exch.c
@@ -250,21 +250,32 @@ static int wp_x25519_derive(wp_EcxCtx* ctx, unsigned char* secret,
             ok = 0;
         }
         if (ok) {
+            /* Constant-time: always subtract, then select based on
+             * whether secret >= order. */
+            unsigned char reduced[CURVE25519_KEYSIZE];
+            int16_t carry = 0;
+            byte gt = 0;
+            byte eq = 0xFF;
+
+            for (i = CURVE25519_KEYSIZE - 1; i >= 0; i--) {
+                carry += secret[i];
+                carry -= wp_curve25519_order[i];
+                reduced[i] = (unsigned char)carry;
+                carry >>= 8;
+            }
+            /* Determine if secret >= order in constant time. */
             for (i = 0; i < CURVE25519_KEYSIZE; i++) {
-                if (secret[i] != wp_curve25519_order[i]) {
-                    break;
-                }
+                gt |= eq & wp_ct_int_mask_gte(secret[i],
+                    wp_curve25519_order[i] + 1);
+                eq &= wp_ct_byte_mask_eq(secret[i],
+                    wp_curve25519_order[i]);
             }
-            if ((i < CURVE25519_KEYSIZE) &&
-                (secret[i] > wp_curve25519_order[i])) {
-                int16_t carry = 0;
-                for (i = CURVE25519_KEYSIZE - 1; i >= 0; i--) {
-                    carry += secret[i];
-                    carry -= wp_curve25519_order[i];
-                    secret[i] = (unsigned char)carry;
-                    carry >>= 8;
-                }
+            /* Select reduced if secret >= order. */
+            for (i = 0; i < CURVE25519_KEYSIZE; i++) {
+                secret[i] = wp_ct_byte_mask_sel(gt | eq, reduced[i],
+                    secret[i]);
             }
+            OPENSSL_cleanse(reduced, sizeof(reduced));
         }
         if (ok) {
             *secLen = len;
diff --git a/src/wp_gmac.c b/src/wp_gmac.c
@@ -93,10 +93,11 @@ static wp_GmacCtx* wp_gmac_new(WOLFPROV_CTX* provCtx)
 static void wp_gmac_free(wp_GmacCtx* macCtx)
 {
     if (macCtx != NULL) {
+        wc_AesFree(&macCtx->gmac.aes);
         OPENSSL_cleanse(macCtx->key, macCtx->keyLen);
         OPENSSL_cleanse(macCtx->iv, macCtx->ivLen);
         OPENSSL_clear_free(macCtx->data, macCtx->dataLen);
-        OPENSSL_free(macCtx);
+        OPENSSL_clear_free(macCtx, sizeof(*macCtx));
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -261,7 +261,7 @@ static int wp_epki2pki_decode(wp_Epki2Pki* ctx, OSSL_CORE_BIO* coreBio,`
`261`	`261`	`}`
`262`	`262`
`263`	`263`	`/* Dispose of the EPKI data buffer. */`
`264`		`- OPENSSL_free(data);`
	`264`	`+ OPENSSL_clear_free(data, len);`
`265`	`265`
`266`	`266`	`OPENSSL_cleanse(password, sizeof(password));`
`267`	`267`
Original file line number	Diff line number	Diff line change
`@@ -93,10 +93,11 @@ static wp_GmacCtx* wp_gmac_new(WOLFPROV_CTX* provCtx)`
`93`	`93`	`static void wp_gmac_free(wp_GmacCtx* macCtx)`
`94`	`94`	`{`
`95`	`95`	`if (macCtx != NULL) {`
	`96`	`+ wc_AesFree(&macCtx->gmac.aes);`
`96`	`97`	`OPENSSL_cleanse(macCtx->key, macCtx->keyLen);`
`97`	`98`	`OPENSSL_cleanse(macCtx->iv, macCtx->ivLen);`
`98`	`99`	`OPENSSL_clear_free(macCtx->data, macCtx->dataLen);`
`99`		`- OPENSSL_free(macCtx);`
	`100`	`+ OPENSSL_clear_free(macCtx, sizeof(*macCtx));`
`100`	`101`	`}`
`101`	`102`	`}`
`102`	`103`