Skip to content

Test ForceZero of secrets in free and DH KEX#980

Merged
padelsbach merged 1 commit into
wolfSSL:masterfrom
ejohnstown:sf4
May 14, 2026
Merged

Test ForceZero of secrets in free and DH KEX#980
padelsbach merged 1 commit into
wolfSSL:masterfrom
ejohnstown:sf4

Conversation

@ejohnstown
Copy link
Copy Markdown
Contributor

@ejohnstown ejohnstown commented May 14, 2026

  • Add retain-on-free and size-tracking capture allocators to inspect freed buffers post-free.
  • Verify SshResourceFree zeroes ssh->k, ssh->keys, and ssh->peerKeys before wolfSSH_free releases the struct.
  • Verify KeyAgreeDh_client wipes ssh->handshake->x even when wc_DhAgree fails (ForceZero is unconditional).
  • Verify KeyAgreeDh_server zeroes the MAX_KEX_KEY_SZ y_ptr allocation under WOLFSSH_SMALL_STACK via 0xCC poisoning.
  • Expose KeyAgreeDh_client / KeyAgreeDh_server via wolfSSH_Test* hooks under WOLFSSH_TEST_INTERNAL.

Issues: F-2488, F-2492, F-2493, F-2875

@ejohnstown
Test ForceZero of secrets in free and DH KEX
d0e78e6 
- Add retain-on-free and size-tracking capture allocators to inspect
  freed buffers post-free.
- Verify SshResourceFree zeroes ssh->k, ssh->keys, and ssh->peerKeys
  before wolfSSH_free releases the struct.
- Verify KeyAgreeDh_client wipes ssh->handshake->x even when wc_DhAgree
  fails (ForceZero is unconditional).
- Verify KeyAgreeDh_server zeroes the MAX_KEX_KEY_SZ y_ptr allocation
  under WOLFSSH_SMALL_STACK via 0xCC poisoning.
- Expose KeyAgreeDh_client / KeyAgreeDh_server via wolfSSH_Test* hooks
  under WOLFSSH_TEST_INTERNAL.

Issues: F-2488, F-2492, F-2493, F-2875
Copilot AI review requested due to automatic review settings May 14, 2026 20:08
@ejohnstown ejohnstown self-assigned this May 14, 2026
wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #980

Scan targets checked: wolfssh-bugs, wolfssh-src

No new issues found in the changed files. ✅

@ejohnstown ejohnstown requested a review from padelsbach May 14, 2026 21:32
@padelsbach padelsbach merged commit 162dd7f into wolfSSL:master May 14, 2026
135 checks passed
@ejohnstown ejohnstown deleted the sf4 branch May 15, 2026 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left review comments

@padelsbach padelsbach padelsbach approved these changes

Copilot code review Copilot Awaiting requested review from Copilot

Assignees

@ejohnstown ejohnstown

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ejohnstown @padelsbach @wolfSSL-Fenrir-bot