Zeroize static ephemeral key buffer before free

julek-wolfssl · julek-wolfssl · commit fa3feb744227 · 2026-04-17T16:46:57.000+02:00
F-2144

SetStaticEphemeralKey loaded a private key file into keyBuf and freed it
without ForceZero. Static ephemeral keys are long-lived, so zeroize the
buffer before XFREE.
diff --git a/src/ssl.c b/src/ssl.c
@@ -18645,6 +18645,7 @@ static int SetStaticEphemeralKey(WOLFSSL_CTX* ctx,
 #ifndef NO_FILESYSTEM
     /* done with keyFile buffer */
     if (keyFile && keyBuf) {
+        ForceZero(keyBuf, keySz);
         XFREE(keyBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
     }
 #endif

Original file line number	Diff line number	Diff line change
`@@ -18645,6 +18645,7 @@ static int SetStaticEphemeralKey(WOLFSSL_CTX* ctx,`
`18645`	`18645`	`#ifndef NO_FILESYSTEM`
`18646`	`18646`	`/* done with keyFile buffer */`
`18647`	`18647`	`if (keyFile && keyBuf) {`
	`18648`	`+ ForceZero(keyBuf, keySz);`
`18648`	`18649`	`XFREE(keyBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);`
`18649`	`18650`	`}`
`18650`	`18651`	`#endif`