Fix invalid preprocessor guard in PKCS7 with SHA224

Frauschi · Frauschi · commit 16e1d33f2495 · 2026-04-23T09:36:32.000+02:00
Also add missing ForceZero for ECDH shared secret on the heap.
diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
@@ -7782,7 +7782,7 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, WC_RNG* rng,
             kdfType = WC_HASH_TYPE_SHA;
             break;
     #endif
-    #ifndef WOLFSSL_SHA224
+    #ifdef WOLFSSL_SHA224
         case dhSinglePass_stdDH_sha224kdf_scheme:
             kdfType = WC_HASH_TYPE_SHA224;
             break;
@@ -7804,6 +7804,7 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, WC_RNG* rng,
     #endif
         default:
             WOLFSSL_MSG("Unsupported key agreement algorithm");
+            ForceZero(secret, secretSz);
             XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7);
             return BAD_FUNC_ARG;
     };
@@ -7816,6 +7817,7 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, WC_RNG* rng,
     ret = NOT_COMPILED_IN;
 #endif
 
+    ForceZero(secret, secretSz);
     XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7);
     return ret;
 }
