F-2970 - https://fenrir.wolfssl.com/finding/2970 - Add ForceZero on key material at early return in wolfTPM2_LoadKeyedHashKey

aidangarske · aidangarske · commit 40dddb064d8d · 2026-04-14T12:21:39.000-07:00
diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
@@ -6823,6 +6823,7 @@ int wolfTPM2_LoadKeyedHashKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
     rc = wolfTPM2_GetKeyTemplate_KeyedHash(&createIn.inPublic.publicArea,
         hashAlg, YES, NO);
     if (rc != 0) {
+        TPM2_ForceZero(&createIn.inSensitive, sizeof(createIn.inSensitive));
         return rc;
     }
 

Original file line number	Diff line number	Diff line change
`@@ -6823,6 +6823,7 @@ int wolfTPM2_LoadKeyedHashKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,`
`6823`	`6823`	`rc = wolfTPM2_GetKeyTemplate_KeyedHash(&createIn.inPublic.publicArea,`
`6824`	`6824`	`hashAlg, YES, NO);`
`6825`	`6825`	`if (rc != 0) {`
	`6826`	`+ TPM2_ForceZero(&createIn.inSensitive, sizeof(createIn.inSensitive));`
`6826`	`6827`	`return rc;`
`6827`	`6828`	`}`
`6828`	`6829`