Zeroize DER buffer in der_to_enc_pem_alloc before free

julek-wolfssl · julek-wolfssl · commit cb495320fe6f · 2026-04-17T16:44:45.000+02:00
F-2139

Previously the plaintext private key DER buffer was freed via XFREE
without a preceding ForceZero when no password encryption was requested.
Track the actual allocation size and zeroize the buffer before release.
diff --git a/src/pk.c b/src/pk.c
@@ -480,6 +480,7 @@ static int der_to_enc_pem_alloc(unsigned char* der, int derSz,
     byte* tmp = NULL;
     byte* cipherInfo = NULL;
     int pemSz = 0;
+    int derAllocSz = derSz;
     int hashType = WC_HASH_TYPE_NONE;
 #if !defined(NO_MD5)
     hashType = WC_MD5;
@@ -515,6 +516,7 @@ static int der_to_enc_pem_alloc(unsigned char* der, int derSz,
         }
         else {
             der = tmpBuf;
+            derAllocSz = derSz + blockSz;
 
             /* Encrypt DER inline. */
             ret = EncryptDerKey(der, &derSz, cipher, passwd, passwdSz,
@@ -562,7 +564,10 @@ static int der_to_enc_pem_alloc(unsigned char* der, int derSz,
 
     XFREE(tmp, NULL, DYNAMIC_TYPE_KEY);
     XFREE(cipherInfo, NULL, DYNAMIC_TYPE_STRING);
-    XFREE(der, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (der != NULL) {
+        ForceZero(der, (word32)derAllocSz);
+        XFREE(der, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    }
 
     return ret;
 }
