From 967aaa2c56233b8aa05988f06747d17462391a8d Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Thu, 5 Mar 2026 15:14:47 -0600 Subject: [PATCH 1/4] Fix F380 to harden wc_MakeDsaKey --- wolfcrypt/src/dsa.c | 1 + 1 file changed, 1 insertion(+) diff --git a/wolfcrypt/src/dsa.c b/wolfcrypt/src/dsa.c index 7bf4702d09..1b8119d776 100644 --- a/wolfcrypt/src/dsa.c +++ b/wolfcrypt/src/dsa.c @@ -231,6 +231,7 @@ int wc_MakeDsaKey(WC_RNG *rng, DsaKey *dsa) mp_clear(&dsa->y); } + ForceZero(cBuf, cSz); #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC) XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER); if (tmpQ != NULL) { From f093268bb946f09c1724f487f39e46ba8b779ec6 Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Thu, 5 Mar 2026 15:15:41 -0600 Subject: [PATCH 2/4] Fix F381 to harden wc_MakeDsaKey --- wolfcrypt/src/dsa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/dsa.c b/wolfcrypt/src/dsa.c index 1b8119d776..79baf73809 100644 --- a/wolfcrypt/src/dsa.c +++ b/wolfcrypt/src/dsa.c @@ -227,7 +227,7 @@ int wc_MakeDsaKey(WC_RNG *rng, DsaKey *dsa) dsa->type = DSA_PRIVATE; if (err != MP_OKAY) { - mp_clear(&dsa->x); + mp_forcezero(&dsa->x); mp_clear(&dsa->y); } From d638824b6391fa38c78aa5a1c9babfabe8f1963e Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Thu, 5 Mar 2026 15:16:55 -0600 Subject: [PATCH 3/4] Fix F382 to harden wc_FreeDsaKey --- wolfcrypt/src/dsa.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/wolfcrypt/src/dsa.c b/wolfcrypt/src/dsa.c index 79baf73809..4c9dc6e7e5 100644 --- a/wolfcrypt/src/dsa.c +++ b/wolfcrypt/src/dsa.c @@ -85,10 +85,7 @@ void wc_FreeDsaKey(DsaKey* key) if (key == NULL) return; - if (key->type == DSA_PRIVATE) - mp_forcezero(&key->x); - - mp_clear(&key->x); + mp_forcezero(&key->x); mp_clear(&key->y); mp_clear(&key->g); mp_clear(&key->q); From 355081b1231ec578345a2a6f37546d3774099a85 Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Fri, 6 Mar 2026 07:33:52 -0600 Subject: [PATCH 4/4] Fix test with cast --- wolfcrypt/src/dsa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/dsa.c b/wolfcrypt/src/dsa.c index 4c9dc6e7e5..df05effbdc 100644 --- a/wolfcrypt/src/dsa.c +++ b/wolfcrypt/src/dsa.c @@ -228,7 +228,7 @@ int wc_MakeDsaKey(WC_RNG *rng, DsaKey *dsa) mp_clear(&dsa->y); } - ForceZero(cBuf, cSz); + ForceZero(cBuf, (word32)cSz); #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC) XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER); if (tmpQ != NULL) {