From f978397369330665f29836c082e49113caa4a7d9 Mon Sep 17 00:00:00 2001
From: Paul Adelsbach <paul.adelsbach@wolfssl.com>
Date: Mon, 2 Mar 2026 13:35:32 -0800
Subject: [PATCH 1/2] Fix string length check in dh/ecdh

---
 src/wp_dh_exch.c   | 4 +++-
 src/wp_ecdh_exch.c | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/wp_dh_exch.c b/src/wp_dh_exch.c
index 62377ba3..bf6392af 100644
--- a/src/wp_dh_exch.c
+++ b/src/wp_dh_exch.c
@@ -512,8 +512,10 @@ static int wp_dh_set_param_kdf_digest(wp_DhCtx* ctx, const OSSL_PARAM params[])
     }
     if (ok && (mdName != NULL)) {
         const char* mdProps = NULL;
+        size_t mdNameLen = OPENSSL_strnlen(mdName, sizeof(ctx->kdfMdName) - 1);
 
-        XMEMCPY(ctx->kdfMdName, mdName, XSTRLEN(mdName) + 1);
+        XMEMCPY(ctx->kdfMdName, mdName, mdNameLen);
+        ctx->kdfMdName[mdNameLen] = '\0';
         if (!wp_params_get_utf8_string_ptr(params,
                     OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS, &mdProps)) {
             ok = 0;
diff --git a/src/wp_ecdh_exch.c b/src/wp_ecdh_exch.c
index ee9aaf0c..e72bca1f 100644
--- a/src/wp_ecdh_exch.c
+++ b/src/wp_ecdh_exch.c
@@ -460,8 +460,10 @@ static int wp_ecdh_set_param_kdf_digest(wp_EcdhCtx* ctx,
     }
     if (ok && (mdName != NULL)) {
         const char* mdProps = NULL;
+        size_t mdNameLen = OPENSSL_strnlen(mdName, sizeof(ctx->kdfMdName) - 1);
 
-        XMEMCPY(ctx->kdfMdName, mdName, XSTRLEN(mdName) + 1);
+        XMEMCPY(ctx->kdfMdName, mdName, mdNameLen);
+        ctx->kdfMdName[mdNameLen] = '\0';
         if (!wp_params_get_utf8_string_ptr(params,
                     OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS, &mdProps)) {
             ok = 0;

From bec742755593bb5c7f58a47da2743c4e94cde062 Mon Sep 17 00:00:00 2001
From: Paul Adelsbach <paul.adelsbach@wolfssl.com>
Date: Mon, 2 Mar 2026 14:18:31 -0800
Subject: [PATCH 2/2] Erase password buffers when exiting routines

---
 src/wp_dec_epki2pki.c |  2 ++
 src/wp_ecdh_exch.c    | 20 +++++++++++++++-----
 src/wp_internal.c     |  2 ++
 src/wp_rsa_kmgmt.c    |  4 ++++
 4 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/src/wp_dec_epki2pki.c b/src/wp_dec_epki2pki.c
index 76ac0173..3b3071b8 100644
--- a/src/wp_dec_epki2pki.c
+++ b/src/wp_dec_epki2pki.c
@@ -263,6 +263,8 @@ static int wp_epki2pki_decode(wp_Epki2Pki* ctx, OSSL_CORE_BIO* coreBio,
     /* Dispose of the EPKI data buffer. */
     OPENSSL_free(data);
 
+    OPENSSL_cleanse(password, sizeof(password));
+
     WOLFPROV_LEAVE(WP_LOG_COMP_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
     return ok;
 }
diff --git a/src/wp_ecdh_exch.c b/src/wp_ecdh_exch.c
index e72bca1f..31c614a7 100644
--- a/src/wp_ecdh_exch.c
+++ b/src/wp_ecdh_exch.c
@@ -315,7 +315,8 @@ static int wp_ecdh_derive(wp_EcdhCtx* ctx, unsigned char* secret,
     int done = 0;
     unsigned char* out;
     size_t outLen;
-    unsigned char tmp[72];
+    unsigned char* tmp = NULL;
+    size_t maxLen = (size_t)wp_ecc_get_size(ctx->key);
 
     WOLFPROV_ENTER(WP_LOG_COMP_ECDH, "wp_ecdh_derive");
 
@@ -326,10 +327,10 @@ static int wp_ecdh_derive(wp_EcdhCtx* ctx, unsigned char* secret,
     /* No output buffer, return maximum size only. */
     if (ok && (secret == NULL)) {
         if (ctx->kdfType == WP_KDF_NONE) {
-            *secLen = wp_ecc_get_size(ctx->key);
+            *secLen = maxLen;
         }
         else {
-            *secLen = ctx->keyLen;;
+            *secLen = ctx->keyLen;
         }
         done = 1;
     }
@@ -342,8 +343,15 @@ static int wp_ecdh_derive(wp_EcdhCtx* ctx, unsigned char* secret,
         }
         else if (ctx->kdfType == WP_KDF_X963) {
             /* Output of ECDH key exchange goes into temporary buffer. */
-            out = tmp;
-            outLen = sizeof(tmp);
+            tmp = OPENSSL_malloc(maxLen);
+            if (tmp == NULL) {
+                ok = 0;
+                outLen = 0;
+            }
+            else {
+                out = tmp;
+                outLen = maxLen;
+            }
         }
         else {
             ok = 0;
@@ -365,6 +373,8 @@ static int wp_ecdh_derive(wp_EcdhCtx* ctx, unsigned char* secret,
         }
     }
 
+    OPENSSL_clear_free(tmp, maxLen);
+
     WOLFPROV_LEAVE(WP_LOG_COMP_ECDH, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
     return ok;
 }
diff --git a/src/wp_internal.c b/src/wp_internal.c
index 9be14df7..8bee38cd 100644
--- a/src/wp_internal.c
+++ b/src/wp_internal.c
@@ -994,6 +994,8 @@ int wp_encrypt_key(WOLFPROV_CTX* provCtx, const char* cipherName,
         *keyLen = len;
     }
 
+    OPENSSL_cleanse(password, sizeof(password));
+
     WOLFPROV_LEAVE(WP_LOG_COMP_PROVIDER, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
     return ok;
 #else
diff --git a/src/wp_rsa_kmgmt.c b/src/wp_rsa_kmgmt.c
index 9d7ba291..38de43d7 100644
--- a/src/wp_rsa_kmgmt.c
+++ b/src/wp_rsa_kmgmt.c
@@ -2472,6 +2472,8 @@ static int wp_rsa_decode_enc_pki(wp_Rsa* rsa, unsigned char* data, word32 len,
         ok = wp_rsa_decode_pki(rsa, data, len);
     }
 
+    OPENSSL_cleanse(password, sizeof(password));
+
     WOLFPROV_LEAVE_SILENT(WP_LOG_COMP_RSA, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__),
         ok);
     return ok;
@@ -3263,6 +3265,8 @@ static int wp_rsa_encode_enc_pki(const wp_RsaEncDecCtx* ctx, const wp_Rsa* rsa,
 
     XFREE(encodedKey, NULL, DYNAMIC_TYPE_RSA_BUFFER);
 
+    OPENSSL_cleanse(password, sizeof(password));
+
     WOLFPROV_LEAVE(WP_LOG_COMP_RSA, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
     return ok;
 }