From 16e1d33f24959f3addaf9f58df737ed6edbfc81a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Mon, 13 Apr 2026 15:58:47 +0200 Subject: [PATCH] Fix invalid preprocessor guard in PKCS7 with SHA224 Also add missing ForceZero for ECDH shared secret on the heap. --- wolfcrypt/src/pkcs7.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index e5a1987c56..dcb33c7914 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -7782,7 +7782,7 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, WC_RNG* rng, kdfType = WC_HASH_TYPE_SHA; break; #endif - #ifndef WOLFSSL_SHA224 + #ifdef WOLFSSL_SHA224 case dhSinglePass_stdDH_sha224kdf_scheme: kdfType = WC_HASH_TYPE_SHA224; break; @@ -7804,6 +7804,7 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, WC_RNG* rng, #endif default: WOLFSSL_MSG("Unsupported key agreement algorithm"); + ForceZero(secret, secretSz); XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7); return BAD_FUNC_ARG; }; @@ -7816,6 +7817,7 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, WC_RNG* rng, ret = NOT_COMPILED_IN; #endif + ForceZero(secret, secretSz); XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7); return ret; }