From 296493acf014cf89a29fbc1f3bd7d40cd522d643 Mon Sep 17 00:00:00 2001
From: Eric Blankenhorn <eric@wolfssl.com>
Date: Thu, 5 Mar 2026 15:43:10 -0600
Subject: [PATCH 1/2] f283 harden GeneratePrivateDh186

---
 wolfcrypt/src/dh.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/wolfcrypt/src/dh.c b/wolfcrypt/src/dh.c
index f6c97d3cb4d..b9e3ed6fa3e 100644
--- a/wolfcrypt/src/dh.c
+++ b/wolfcrypt/src/dh.c
@@ -1157,8 +1157,9 @@ static int GeneratePrivateDh186(DhKey* key, WC_RNG* rng, byte* priv,
         if (err == MP_OKAY)
             err = mp_read_unsigned_bin(tmpX, cBuf, cSz);
         if (err != MP_OKAY) {
-            mp_clear(tmpX);
+            mp_forcezero(tmpX);
             mp_clear(tmpQ);
+            ForceZero(cBuf, cSz);
 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
             XFREE(cBuf, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
             XFREE(tmpQ, key->heap, DYNAMIC_TYPE_DH);

From 203cce48ef50088493f4598a40fff022ba0bdb1e Mon Sep 17 00:00:00 2001
From: Eric Blankenhorn <eric@wolfssl.com>
Date: Thu, 5 Mar 2026 15:44:12 -0600
Subject: [PATCH 2/2] f287 harden wc_DhImportKeyPair

---
 wolfcrypt/src/dh.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wolfcrypt/src/dh.c b/wolfcrypt/src/dh.c
index b9e3ed6fa3e..0054374480b 100644
--- a/wolfcrypt/src/dh.c
+++ b/wolfcrypt/src/dh.c
@@ -2404,7 +2404,7 @@ int wc_DhImportKeyPair(DhKey* key, const byte* priv, word32 privSz,
     }
     if (havePriv) {
         if (mp_read_unsigned_bin(&key->priv, priv, privSz) != MP_OKAY) {
-            mp_clear(&key->priv);
+            mp_forcezero(&key->priv);
             havePriv = 0;
         } else {
             WOLFSSL_MSG("DH Private Key Set");