From 14695fb9cd0de067d34a4f1a92891aee09d8d08a Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Wed, 25 Mar 2026 12:27:23 -0600 Subject: [PATCH] zeroize ssl->encrypt after transferring ownership to dup --- src/ssl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 07434f66ce..bb8959957c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -906,6 +906,9 @@ static int DupSSL(WOLFSSL* dup, WOLFSSL* ssl) XMEMCPY(&dup->version, &ssl->version, sizeof(ProtocolVersion)); XMEMCPY(&dup->chVersion, &ssl->chVersion, sizeof(ProtocolVersion)); + /* dup side now owns encrypt/write ciphers */ + XMEMSET(&ssl->encrypt, 0, sizeof(Ciphers)); + #ifdef HAVE_ONE_TIME_AUTH #ifdef HAVE_POLY1305 if (ssl->auth.setup && ssl->auth.poly1305 != NULL) { @@ -918,9 +921,6 @@ static int DupSSL(WOLFSSL* dup, WOLFSSL* ssl) #endif #endif - /* dup side now owns encrypt/write ciphers */ - XMEMSET(&ssl->encrypt, 0, sizeof(Ciphers)); - #ifdef WOLFSSL_TLS13 if (IsAtLeastTLSv1_3(ssl->version)) { /* Copy TLS 1.3 application traffic secrets so the write side can