wolfSSL · aidangarske · Mar 23, 2026 · Mar 24, 2026 · Mar 24, 2026
diff --git a/src/wp_aes_aead.c b/src/wp_aes_aead.c
@@ -1688,6 +1688,10 @@ static void *wp_aes_gcm_newctx(WOLFPROV_CTX* provCtx, size_t keyBits)
  */
 static void wp_aes_gcm_freectx(wp_AeadCtx* ctx)
 {
+    OPENSSL_free(ctx->aad);
+#if defined(WP_HAVE_AESGCM) && !defined(WOLFSSL_AESGCM_STREAM)
+    OPENSSL_free(ctx->in);
+#endif
     wc_AesFree(&ctx->aes);
     OPENSSL_free(ctx);
 }

diff --git a/src/wp_aes_block.c b/src/wp_aes_block.c
@@ -866,21 +866,22 @@ static int wp_aes_block_final_dec(wp_AesBlockCtx* ctx, unsigned char *out,
 
     if (ok && ctx->pad) {
         unsigned char pad;
+        unsigned char invalid;
+        unsigned char i;
 
         pad = ctx->buf[AES_BLOCK_SIZE - 1];
-        if ((pad == 0) || (pad > AES_BLOCK_SIZE)) {
+        invalid = wp_ct_byte_mask_eq(pad, 0) |
+                  ~wp_ct_int_mask_gte(AES_BLOCK_SIZE, (int)pad);
+        for (i = 0; i < AES_BLOCK_SIZE; i++) {
+            unsigned char mask = wp_ct_int_mask_gte((int)i,
+                AES_BLOCK_SIZE - (int)pad);
+            invalid |= mask & wp_ct_byte_mask_ne(ctx->buf[i], pad);
+        }
+        if (invalid) {
             ok = 0;
         }
-        if (ok) {
-            unsigned char len = AES_BLOCK_SIZE;
-            unsigned char i;
-
-            for (i = 0; i < pad; i++) {
-                if (ctx->buf[--len] != pad) {
-                    return 0;
-                }
-            }
-            ctx->bufSz = len;
+        else {
+            ctx->bufSz = AES_BLOCK_SIZE - pad;
         }
     }
 

diff --git a/src/wp_cmac.c b/src/wp_cmac.c
@@ -162,11 +162,16 @@ static wp_CmacCtx* wp_cmac_dup(wp_CmacCtx* src)
         dst = wp_cmac_new(NULL);
     }
     if (dst != NULL) {
-        *dst = *src;
-        dst->keyLen = 0;
-
-        if ((src->keyLen != 0) &&
-            (!wp_cmac_set_key(dst, src->key, src->keyLen, 0))) {
+        /* Copy the entire context to preserve in-progress CMAC state. */
+        XMEMCPY(&dst->cmac, &src->cmac, sizeof(Cmac));
+        dst->type = src->type;
+        dst->size = src->size;
+        dst->expKeySize = src->expKeySize;
+        if (src->keyLen <= sizeof(dst->key)) {
+            XMEMCPY(dst->key, src->key, src->keyLen);
+            dst->keyLen = src->keyLen;
+        }
+        else {
             wp_cmac_free(dst);
             dst = NULL;
         }

diff --git a/src/wp_des.c b/src/wp_des.c
@@ -418,10 +418,15 @@ static int wp_des3_block_update(wp_Des3BlockCtx *ctx, unsigned char *out,
         int i;
         unsigned char off = inLen % DES_BLOCK_SIZE;
         unsigned char pad = DES_BLOCK_SIZE - off - 1;
-        for (i = off; i < DES_BLOCK_SIZE; i++) {
-            out[inLen - off + i] = pad;
+        if (outSize < inLen + pad + 1) {
+            ok = 0;
+        }
+        if (ok) {
+            for (i = off; i < DES_BLOCK_SIZE; i++) {
+                out[inLen - off + i] = pad;
+            }
+            inLen += pad + 1;
         }
-        inLen += pad + 1;
     }
     if (ctx->bufSz != 0) {
         size_t len = DES_BLOCK_SIZE - ctx->bufSz;
@@ -578,21 +583,22 @@ static int wp_des3_block_final_dec(wp_Des3BlockCtx* ctx, unsigned char *out,
 
     if (ok && ctx->pad) {
         unsigned char pad;
+        unsigned char invalid;
+        unsigned char i;
 
         pad = ctx->buf[DES_BLOCK_SIZE - 1];
-        if ((pad == 0) || (pad > DES_BLOCK_SIZE)) {
+        invalid = wp_ct_byte_mask_eq(pad, 0) |
+                  ~wp_ct_int_mask_gte(DES_BLOCK_SIZE, (int)pad);
+        for (i = 0; i < DES_BLOCK_SIZE; i++) {
+            unsigned char mask = wp_ct_int_mask_gte((int)i,
+                DES_BLOCK_SIZE - (int)pad);
+            invalid |= mask & wp_ct_byte_mask_ne(ctx->buf[i], pad);
+        }
+        if (invalid) {
             ok = 0;
         }
-        if (ok) {
-            unsigned char len = DES_BLOCK_SIZE;
-            unsigned char i;
-
-            for (i = 0; i < pad; i++) {
-                if (ctx->buf[--len] != pad) {
-                    return 0;
-                }
-            }
-            ctx->bufSz = len;
+        else {
+            ctx->bufSz = DES_BLOCK_SIZE - pad;
         }
     }
 

diff --git a/src/wp_dh_kmgmt.c b/src/wp_dh_kmgmt.c
@@ -453,7 +453,7 @@ void wp_dh_free(wp_Dh* dh)
         if (cnt == 0) {
             /* No more references to this object. */
             OPENSSL_free(dh->pub);
-            OPENSSL_free(dh->priv);
+            OPENSSL_clear_free(dh->priv, dh->privSz);
     #ifndef WP_SINGLE_THREADED
             wc_FreeMutex(&dh->mutex);
     #endif
@@ -730,6 +730,9 @@ static int wp_dh_get_params_encoded_public_key(wp_Dh* dh, OSSL_PARAM params[])
                 if (p->data_size < outLen) {
                     ok = 0;
                 }
+                if (ok && (dh->pubSz > outLen)) {
+                    ok = 0;
+                }
                 if (ok) {
                     unsigned char* data = p->data;
                     size_t padSz = outLen - dh->pubSz;
@@ -863,16 +866,6 @@ static int wp_dh_get_params(wp_Dh* dh, OSSL_PARAM params[])
             }
         }
     }
-    if (ok) {
-        /* Only call if we haven't already handled OSSL_PKEY_PARAM_PRIV_KEY */
-        p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_PRIV_KEY);
-        if (p == NULL || p->data != NULL) {
-            if (!wp_params_set_octet_string_be(params, OSSL_PKEY_PARAM_PRIV_KEY,
-                    dh->priv, dh->privSz)) {
-                ok = 0;
-            }
-        }
-    }
     if (ok && (!wp_dh_get_params_encoded_public_key(dh, params))) {
         ok = 0;
     }

diff --git a/src/wp_drbg.c b/src/wp_drbg.c
@@ -334,29 +334,53 @@ static int wp_drbg_reseed(wp_DrbgCtx* ctx, int predResist,
     const unsigned char* addIn, size_t addInLen)
 {
     int ok = 1;
+    int rc;
+    unsigned char *seed = NULL;
+    size_t seedLen = 0;
 
     WOLFPROV_ENTER(WP_LOG_COMP_RNG, "wp_drbg_reseed");
 
-#if 0
-    /* Calling Hash_DRBG_Instantiate would be better. */
-    int rc;
-    rc = wc_RNG_DRBG_Reseed(ctx->rng, entropy, entropyLen);
-    if (rc != 0) {
-        ok = 0;
+    /* If no entropy provided, get fresh entropy from the OS source. */
+    if (entropy == NULL || entropyLen == 0) {
+        seedLen = 48;
+        seed = OPENSSL_malloc(seedLen);
+        if (seed == NULL) {
+            ok = 0;
+        }
+        if (ok) {
+            OS_Seed osSeed;
+            rc = wc_GenerateSeed(&osSeed, seed, (word32)seedLen);
+            if (rc != 0) {
+                ok = 0;
+            }
+            else {
+                entropy = seed;
+                entropyLen = seedLen;
+            }
+        }
     }
-    if (ok && (addInLen > 0)) {
-        rc = wc_RNG_DRBG_Reseed(ctx->rng, addIn, addInLen);
+
+    if (ok && entropy != NULL && entropyLen > 0) {
+        rc = wc_RNG_DRBG_Reseed(ctx->rng, entropy, (word32)entropyLen);
         if (rc != 0) {
+            WOLFPROV_MSG_DEBUG_RETCODE(WP_LOG_COMP_RNG,
+                "wc_RNG_DRBG_Reseed", rc);
+            ok = 0;
+        }
+    }
+    if (ok && (addInLen > 0) && (addIn != NULL)) {
+        rc = wc_RNG_DRBG_Reseed(ctx->rng, addIn, (word32)addInLen);
+        if (rc != 0) {
+            WOLFPROV_MSG_DEBUG_RETCODE(WP_LOG_COMP_RNG,
+                "wc_RNG_DRBG_Reseed", rc);
             ok = 0;
         }
     }
-#else
-    (void)ctx;
-    (void)entropy;
-    (void)entropyLen;
-    (void)addIn;
-    (void)addInLen;
-#endif
+
+    /* Securely clear and free locally allocated seed buffer. */
+    if (seed != NULL) {
+        OPENSSL_clear_free(seed, seedLen);
+    }
 
     (void)predResist;
 
@@ -388,6 +412,7 @@ static int wp_drbg_enable_locking(wp_DrbgCtx* ctx)
             if (rc != 0) {
                 WOLFPROV_MSG_DEBUG_RETCODE(WP_LOG_COMP_RNG, "wc_InitMutex", rc);
                 OPENSSL_free(ctx->mutex);
+                ctx->mutex = NULL;
                 ok = 0;
             }
         }
@@ -547,11 +572,16 @@ static int wp_drbg_set_ctx_params(wp_DrbgCtx* ctx, const OSSL_PARAM params[])
  */
 static int wp_drbg_verify_zeroization(wp_DrbgCtx* ctx)
 {
+    int ok;
+
     WOLFPROV_ENTER(WP_LOG_COMP_RNG, "wp_drbg_verify_zeroization");
 
-    (void)ctx;
-    WOLFPROV_LEAVE(WP_LOG_COMP_RNG, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
-    return 1;
+    /* After uninstantiate, ctx->rng is freed (with internal state zeroized
+     * by wolfSSL) and set to NULL. Verify that cleanup occurred. */
+    ok = (ctx->rng == NULL);
+
+    WOLFPROV_LEAVE(WP_LOG_COMP_RNG, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
+    return ok;
 }
 
 /**

diff --git a/src/wp_ecx_kmgmt.c b/src/wp_ecx_kmgmt.c
@@ -356,16 +356,46 @@ static wp_Ecx* wp_ecx_dup(const wp_Ecx* src, int selection)
 {
     wp_Ecx* dst = NULL;
 
-    (void)selection;
     if (wolfssl_prov_is_running()) {
         /* Create a new ecx object. */
         dst = wp_ecx_new(src->provCtx, src->data);
     }
     if (dst != NULL) {
-        XMEMCPY(&dst->key, &src->key, sizeof(src->key));
         dst->includePublic = src->includePublic;
-        dst->hasPub        = src->hasPub;
-        dst->hasPriv       = src->hasPriv;
+
+        /* Copy the full key union to preserve internal wolfSSL state.
+         * Private material is zeroized below if not selected. */
+        XMEMCPY(&dst->key, &src->key, sizeof(src->key));
+
+        /* Set public key flag if available and requested. */
+        if (src->hasPub &&
+            ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)) {
+            dst->hasPub = 1;
+        }
+        /* Set private key flag if available and requested. */
+        if (src->hasPriv &&
+            ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)) {
+            dst->hasPriv = 1;
+            dst->clamped = src->clamped;
+            XMEMCPY(dst->unclamped, src->unclamped, sizeof(src->unclamped));
+        }
+        else {
+            /* Private key not selected — re-import only public key to
+             * ensure no private material remains in the dst key object. */
+            if (dst->hasPub) {
+                byte buf[64];
+                word32 len = (word32)sizeof(buf);
+                int rc = (*src->data->exportPub)((void*)&src->key, buf, &len,
+                    ECX_LITTLE_ENDIAN);
+                if (rc == 0) {
+                    /* Re-init key and import only public part. */
+                    (*dst->data->freeKey)((void*)&dst->key);
+                    (*dst->data->initKey)((void*)&dst->key);
+                    (*dst->data->importPub)(buf, len, (void*)&dst->key,
+                        ECX_LITTLE_ENDIAN);
+                }
+            }
+        }
     }
 
     return dst;

diff --git a/src/wp_hkdf.c b/src/wp_hkdf.c
@@ -716,6 +716,9 @@ static int wp_kdf_tls1_3_derive(wp_HkdfCtx* ctx, unsigned char* key,
                 ok = 0;
             }
         }
+        else {
+            ok = 0;
+        }
     }
 
     WOLFPROV_LEAVE(WP_LOG_COMP_HKDF, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);

diff --git a/src/wp_hmac.c b/src/wp_hmac.c
@@ -187,12 +187,22 @@ static wp_HmacCtx* wp_hmac_dup(wp_HmacCtx* src)
         dst = wp_hmac_new(src->provCtx);
     }
     if (dst != NULL) {
-        *dst = *src;
-        dst->key = NULL;
-        dst->keyLen = 0;
+        int ok = 1;
 
-        if ((src->key != NULL) &&
+        dst->type = src->type;
+        dst->size = src->size;
+        dst->provCtx = src->provCtx;
+
+        /* Copy the Hmac struct directly to preserve in-progress state.
+         * wc_HmacCopy is not available in all wolfSSL versions. */
+        XMEMCPY(&dst->hmac, &src->hmac, sizeof(Hmac));
+
+        if (ok && (src->key != NULL) &&
             (!wp_hmac_set_key(dst, src->key, src->keyLen, 0))) {
+            ok = 0;
+        }
+
+        if (!ok) {
             wp_hmac_free(dst);
             dst = NULL;
         }

diff --git a/src/wp_mac_kmgmt.c b/src/wp_mac_kmgmt.c
@@ -223,10 +223,11 @@ void wp_mac_free(wp_Mac* mac)
         int rc;
 
         rc = wc_LockMutex(&mac->mutex);
-        cnt = --mac->refCnt;
-        if (rc == 0) {
-            wc_UnLockMutex(&mac->mutex);
+        if (rc != 0) {
+            return;
         }
+        cnt = --mac->refCnt;
+        wc_UnLockMutex(&mac->mutex);
     #else
         cnt = --mac->refCnt;
     #endif
@@ -318,6 +319,10 @@ static int wp_mac_has(const wp_Mac* mac, int selection)
     if (mac == NULL) {
        ok = 0;
     }
+    if (ok && ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)) {
+        /* MAC keys do not have a public key component. */
+        ok = 0;
+    }
     if (ok && ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)) {
         ok &= mac->key != NULL;
     }
@@ -344,11 +349,13 @@ static int wp_mac_match(const wp_Mac* mac1, const wp_Mac* mac2, int selection)
     if (!wolfssl_prov_is_running()) {
         ok = 0;
     }
-    if (ok && ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) &&
-        (mac1->keyLen != MAX_SIZE_T) && ((mac1->keyLen != mac2->keyLen) ||
-        (XMEMCMP(mac1->key, mac2->key, mac1->keyLen) != 0) ||
-        (XMEMCMP(mac1->cipher, mac2->cipher, WP_MAX_CIPH_NAME_SIZE) != 0))) {
-        ok = 0;
+    if (ok && ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)) {
+        if ((mac1->keyLen == MAX_SIZE_T) || (mac2->keyLen == MAX_SIZE_T) ||
+            (mac1->keyLen != mac2->keyLen) ||
+            (CRYPTO_memcmp(mac1->key, mac2->key, mac1->keyLen) != 0) ||
+            (XMEMCMP(mac1->cipher, mac2->cipher, WP_MAX_CIPH_NAME_SIZE) != 0)) {
+            ok = 0;
+        }
     }
 
     WOLFPROV_LEAVE(WP_LOG_COMP_MAC, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
-Original file line number
+Diff line change
@@ Expand Up @@
                     ok = 0;
                 }
             }
+            else {
+                ok = 0;
+            }
         }
         WOLFPROV_LEAVE(WP_LOG_COMP_HKDF, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
@@ Expand Down @@