diff --git a/src/internal.c b/src/internal.c index eb59f8133c..01179f1c6f 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12372,6 +12372,7 @@ static int BuildMD5(WOLFSSL* ssl, Hashes* hashes, const byte* sender) #else wc_Md5 md5[1]; #endif + XMEMSET(md5, 0, sizeof(wc_Md5)); /* make md5 inner */ ret = wc_Md5Copy(&ssl->hsHashes->hashMd5, md5); @@ -12417,6 +12418,7 @@ static int BuildSHA(WOLFSSL* ssl, Hashes* hashes, const byte* sender) #else wc_Sha sha[1]; #endif + XMEMSET(sha, 0, sizeof(wc_Sha)); /* make sha inner */ ret = wc_ShaCopy(&ssl->hsHashes->hashSha, sha); /* Save current position */ if (ret == 0) @@ -23926,6 +23928,7 @@ static int BuildMD5_CertVerify(const WOLFSSL* ssl, byte* digest) #else wc_Md5 md5[1]; #endif + XMEMSET(md5, 0, sizeof(wc_Md5)); /* make md5 inner */ ret = wc_Md5Copy(&ssl->hsHashes->hashMd5, md5); /* Save current position */ @@ -23969,6 +23972,7 @@ static int BuildSHA_CertVerify(const WOLFSSL* ssl, byte* digest) #else wc_Sha sha[1]; #endif + XMEMSET(sha, 0, sizeof(wc_Sha)); /* make sha inner */ ret = wc_ShaCopy(&ssl->hsHashes->hashSha, sha); /* Save current position */ diff --git a/src/tls13.c b/src/tls13.c index 101b31541a..d84ad2bee8 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -11982,6 +11982,8 @@ static int ExpectedResumptionSecret(WOLFSSL* ssl) Digest digest; static byte header[] = { 0x14, 0x00, 0x00, 0x00 }; + XMEMSET(&digest, 0, sizeof(Digest)); + /* Copy the running hash so we can restore it after. */ switch (ssl->specs.mac_algorithm) { #ifndef NO_SHA256 diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index dc14d4fe66..1e1b82e437 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -5846,6 +5846,9 @@ void wolfSSL_EVP_init(void) if (out->pctx == NULL) return WOLFSSL_FAILURE; } + /* Zero hash context after shallow copy to prevent shared sub-pointers + * with src. The hash Copy function will perform the proper deep copy. */ + XMEMSET(&out->hash, 0, sizeof(out->hash)); return wolfSSL_EVP_MD_Copy_Hasher(out, (WOLFSSL_EVP_MD_CTX*)in); } #ifndef NO_AES