zero ECC private key stack buffers

JeremiahM37 · JeremiahM37 · commit b71c2a27bf9f · 2026-03-26T17:29:59.000Z
diff --git a/wolfcrypt/src/port/kcapi/kcapi_ecc.c b/wolfcrypt/src/port/kcapi/kcapi_ecc.c
@@ -120,6 +120,7 @@ int KcapiEcc_LoadKey(ecc_key* key, byte* pubkey_raw, word32* pubkey_sz,
             if (ret == 0) {
                 ret = kcapi_kpp_setkey(key->handle, priv, keySz);
             }
+            ForceZero(priv, sizeof(priv));
         }
         else {
             /* generate new ephemeral key */
@@ -241,6 +242,7 @@ int KcapiEcc_SharedSecret(ecc_key* private_key, ecc_key* public_key, byte* out,
                 ret = 0;
             }
         }
+        ForceZero(priv, sizeof(priv));
     }
     if (ret == 0) {
     #ifdef KCAPI_USE_XMALLOC
@@ -317,6 +319,7 @@ static int KcapiEcc_SetPrivKey(ecc_key* key)
         }
     }
 
+    ForceZero(priv, sizeof(priv));
     return ret;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -120,6 +120,7 @@ int KcapiEcc_LoadKey(ecc_key* key, byte* pubkey_raw, word32* pubkey_sz,`
`120`	`120`	`if (ret == 0) {`
`121`	`121`	`ret = kcapi_kpp_setkey(key->handle, priv, keySz);`
`122`	`122`	`}`
	`123`	`+ ForceZero(priv, sizeof(priv));`
`123`	`124`	`}`
`124`	`125`	`else {`
`125`	`126`	`/* generate new ephemeral key */`
`@@ -241,6 +242,7 @@ int KcapiEcc_SharedSecret(ecc_key* private_key, ecc_key* public_key, byte* out,`
`241`	`242`	`ret = 0;`
`242`	`243`	`}`
`243`	`244`	`}`
	`245`	`+ ForceZero(priv, sizeof(priv));`
`244`	`246`	`}`
`245`	`247`	`if (ret == 0) {`
`246`	`248`	`#ifdef KCAPI_USE_XMALLOC`
`@@ -317,6 +319,7 @@ static int KcapiEcc_SetPrivKey(ecc_key* key)`
`317`	`319`	`}`
`318`	`320`	`}`
`319`	`321`
	`322`	`+ ForceZero(priv, sizeof(priv));`
`320`	`323`	`return ret;`
`321`	`324`	`}`
`322`	`325`