zero sensitive state before free

JeremiahM37 · JeremiahM37 · commit c417a1ce1ebf · 2026-04-20T17:20:54.000Z
diff --git a/wolfcrypt/src/arc4.c b/wolfcrypt/src/arc4.c
@@ -25,6 +25,13 @@
 
 #include <wolfssl/wolfcrypt/arc4.h>
 
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
 
 int wc_Arc4SetKey(Arc4* arc4, const byte* key, word32 length)
 {
@@ -137,6 +144,10 @@ void wc_Arc4Free(Arc4* arc4)
 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ARC4)
     wolfAsync_DevCtxFree(&arc4->asyncDev, WOLFSSL_ASYNC_MARKER_ARC4);
 #endif /* WOLFSSL_ASYNC_CRYPT */
+
+    ForceZero(arc4->state, sizeof(arc4->state));
+    arc4->x = 0;
+    arc4->y = 0;
 }
 
 #endif /* NO_RC4 */
diff --git a/wolfcrypt/src/des3.c b/wolfcrypt/src/des3.c
@@ -2002,6 +2002,7 @@ void wc_Des3Free(Des3* des3)
         (defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_3DES))
     ForceZero(des3->devKey, sizeof(des3->devKey));
 #endif
+    ForceZero(des3, sizeof(Des3));
 #ifdef WOLFSSL_CHECK_MEM_ZERO
     wc_MemZero_Check(des3, sizeof(Des3));
 #endif
diff --git a/wolfcrypt/src/wc_lms_impl.c b/wolfcrypt/src/wc_lms_impl.c
@@ -2855,6 +2855,7 @@ static int wc_hss_next_subtree_inc(LmsState* state, HssPrivKey* priv_key,
         q64_hi = cq64_hi;
     }
 
+    ForceZero(tmp_priv, sizeof(tmp_priv));
     return ret;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -2855,6 +2855,7 @@ static int wc_hss_next_subtree_inc(LmsState* state, HssPrivKey* priv_key,`
`2855`	`2855`	`q64_hi = cq64_hi;`
`2856`	`2856`	`}`
`2857`	`2857`
	`2858`	`+ ForceZero(tmp_priv, sizeof(tmp_priv));`
`2858`	`2859`	`return ret;`
`2859`	`2860`	`}`
`2860`	`2861`