F-2968 - https://fenrir.wolfssl.com/finding/2968 - Add ForceZero on auth in wolfTPM2_HmacStart on all exit paths

aidangarske · aidangarske · commit a251d20e47d4 · 2026-04-14T12:20:04.000-07:00
diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
@@ -6919,6 +6919,7 @@ int wolfTPM2_HmacStart(WOLFTPM2_DEV* dev, WOLFTPM2_HMAC* hmac,
         printf("TPM2_HMAC_Start failed 0x%x: %s\n", rc,
             TPM2_GetRCString(rc));
     #endif
+        TPM2_ForceZero(&in.auth, sizeof(in.auth));
         return rc;
     }
 
@@ -6930,6 +6931,7 @@ int wolfTPM2_HmacStart(WOLFTPM2_DEV* dev, WOLFTPM2_HMAC* hmac,
         (word32)out.sequenceHandle);
 #endif
 
+    TPM2_ForceZero(&in.auth, sizeof(in.auth));
     return rc;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -6919,6 +6919,7 @@ int wolfTPM2_HmacStart(WOLFTPM2_DEV* dev, WOLFTPM2_HMAC* hmac,`
`6919`	`6919`	`printf("TPM2_HMAC_Start failed 0x%x: %s\n", rc,`
`6920`	`6920`	`TPM2_GetRCString(rc));`
`6921`	`6921`	`#endif`
	`6922`	`+ TPM2_ForceZero(&in.auth, sizeof(in.auth));`
`6922`	`6923`	`return rc;`
`6923`	`6924`	`}`
`6924`	`6925`
`@@ -6930,6 +6931,7 @@ int wolfTPM2_HmacStart(WOLFTPM2_DEV* dev, WOLFTPM2_HMAC* hmac,`
`6930`	`6931`	`(word32)out.sequenceHandle);`
`6931`	`6932`	`#endif`
`6932`	`6933`
	`6934`	`+ TPM2_ForceZero(&in.auth, sizeof(in.auth));`
`6933`	`6935`	`return rc;`
`6934`	`6936`	`}`
`6935`	`6937`