F-2976 - https://fenrir.wolfssl.com/finding/2976 - Guard handle auth assignment on success in wolfTPM2_SetIdentityAuth

aidangarske · aidangarske · commit 27bada5de99e · 2026-04-15T09:58:08.000-07:00
diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
@@ -9391,14 +9391,17 @@ int wolfTPM2_SetIdentityAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* handle,
         wc_HashFree(&hash_ctx, hashType);
     }
 
-    /* Hash Final truncate to 16 bytes */
-    /* Use 16-byte for auth when accessing key */
-    handle->auth.size = 16;
-    XMEMCPY(handle->auth.buffer, &digest[16], 16);
-#ifdef DEBUG_WOLFTPM
-    printf("Handle 0x%x, Auth %d\n", handle->hndl, handle->auth.size);
-    TPM2_PrintBin(handle->auth.buffer, handle->auth.size);
-#endif
+    if (rc == 0) {
+        /* Hash Final truncate to 16 bytes */
+        /* Use 16-byte for auth when accessing key */
+        handle->auth.size = 16;
+        XMEMCPY(handle->auth.buffer, &digest[16], 16);
+    #ifdef DEBUG_WOLFTPM
+        printf("Handle 0x%x, Auth %d\n", handle->hndl, handle->auth.size);
+        TPM2_PrintBin(handle->auth.buffer, handle->auth.size);
+    #endif
+    }
+    wc_ForceZero(digest, sizeof(digest));
 
     (void)dev;
 
