From 2b3c02531cd9733170a2ee368c8507a2ffff78a7 Mon Sep 17 00:00:00 2001
From: Josh Holtrop <josh@wolfssl.com>
Date: Wed, 14 Jan 2026 09:03:17 -0500
Subject: [PATCH] Use ForceZero to clean up HMAC-BLAKE2[bs]

---
 wolfcrypt/src/blake2b.c | 10 ++++++++--
 wolfcrypt/src/blake2s.c | 10 ++++++++--
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/wolfcrypt/src/blake2b.c b/wolfcrypt/src/blake2b.c
index 2295bb307..1f24a7999 100644
--- a/wolfcrypt/src/blake2b.c
+++ b/wolfcrypt/src/blake2b.c
@@ -37,6 +37,12 @@
 
 #include <wolfssl/wolfcrypt/blake2.h>
 #include <wolfssl/wolfcrypt/blake2-impl.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
 
 static const word64 blake2b_IV[8] =
 {
@@ -564,8 +570,8 @@ int wc_Blake2bHmac(const byte * in, size_t in_len,
         return ret;
 
     XMEMCPY(out, i_hash, BLAKE2B_OUTBYTES);
-    XMEMSET(x_key, 0, BLAKE2B_BLOCKBYTES);
-    XMEMSET(i_hash, 0, BLAKE2B_OUTBYTES);
+    ForceZero(x_key, BLAKE2B_BLOCKBYTES);
+    ForceZero(i_hash, BLAKE2B_OUTBYTES);
 
     return 0;
 }
diff --git a/wolfcrypt/src/blake2s.c b/wolfcrypt/src/blake2s.c
index 7dfd9b67e..2b312c574 100644
--- a/wolfcrypt/src/blake2s.c
+++ b/wolfcrypt/src/blake2s.c
@@ -37,6 +37,12 @@
 
 #include <wolfssl/wolfcrypt/blake2.h>
 #include <wolfssl/wolfcrypt/blake2-impl.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
 
 static const word32 blake2s_IV[8] =
 {
@@ -558,8 +564,8 @@ int wc_Blake2sHmac(const byte * in, size_t in_len,
         return ret;
 
     XMEMCPY(out, i_hash, BLAKE2S_OUTBYTES);
-    XMEMSET(x_key, 0, BLAKE2S_BLOCKBYTES);
-    XMEMSET(i_hash, 0, BLAKE2S_OUTBYTES);
+    ForceZero(x_key, BLAKE2S_BLOCKBYTES);
+    ForceZero(i_hash, BLAKE2S_OUTBYTES);
 
     return 0;
 }