From e51c9a3c586d536c551477c3c026b15a42aeb47f Mon Sep 17 00:00:00 2001
From: Paul Adelsbach <paul.adelsbach@wolfssl.com>
Date: Tue, 21 Apr 2026 11:09:26 -0700
Subject: [PATCH] Add zeroization in wolfSSH_ProcessBuffer

---
 src/internal.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index 0bf745e59..f2fdcf396 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -2415,6 +2415,11 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx,
         else
             ret = wc_CertPemToDer(in, inSz, der, inSz, wcType);
         if (ret < 0) {
+            if (type == BUFTYPE_PRIVKEY) {
+                /* wc_KeyPemToDer may have written partial key material;
+                 * zeroize before free on the private-key path. */
+                ForceZero(der, inSz);
+            }
             WFREE(der, heap, dynamicType);
             return WS_BAD_FILE_E;
         }
@@ -2430,8 +2435,10 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx,
     if (type == BUFTYPE_PRIVKEY) {
         ret = IdentifyAsn1Key(der, derSz, 1, ctx->heap, NULL);
         if (ret < 0) {
-            if (der != NULL)
+            if (der != NULL) {
+                ForceZero(der, derSz);
                 WFREE(der, heap, dynamicType);
+            }
             return ret;
         }
         keyId = (byte)ret;