From 59b9ab9097517fd180ad883a6ece31716e988254 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Wed, 10 Jan 2018 13:36:03 -0700
Subject: [PATCH] place buffer on stack instead and zero it when done

---
 wolfcrypt/src/asn.c | 16 +++-------------
 1 file changed, 3 insertions(+), 13 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 4981d5555..d79fbda85 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -1804,8 +1804,8 @@ int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der)
     #ifdef HAVE_ECC
     if (der->keyOID == ECDSAk) {
         ecc_key key_pair;
-        byte*   privDer;
-        word32  privSz;
+        byte    privDer[MAX_ECC_BYTES];
+        word32  privSz = MAX_ECC_BYTES;
         word32  keyIdx = 0;
 
         if ((ret = wc_ecc_init(&key_pair)) < 0)
@@ -1815,15 +1815,6 @@ int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der)
                                                                  keySz)) == 0) {
             WOLFSSL_MSG("Checking ECC key pair");
 
-            if ((privSz = wc_ecc_size(&key_pair)) <= 0) {
-                return WC_KEY_SIZE_E;
-            }
-
-            privDer = (byte*)XMALLOC(privSz, der->heap, DYNAMIC_TYPE_KEY);
-            if (privDer == NULL) {
-                return MEMORY_E;
-            }
-
             if ((ret = wc_ecc_export_private_only(&key_pair, privDer, &privSz))
                                                                          == 0) {
                 wc_ecc_free(&key_pair);
@@ -1842,9 +1833,8 @@ int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der)
                         ret = 1;
                     }
                 }
+                ForceZero(privDer, privSz);
             }
-            XFREE(privDer, der->heap, DYNAMIC_TYPE_KEY);
-
         }
         wc_ecc_free(&key_pair);
     }