41 lines
1.2 KiB
Diff
41 lines
1.2 KiB
Diff
From 65911d48d49116a6ba49402824864e5f2f3ac1e1 Mon Sep 17 00:00:00 2001
|
|
From: Clemens Lang <cllang@redhat.com>
|
|
Date: Fri, 12 Jan 2024 11:12:14 +0100
|
|
Subject: [PATCH] fips: Zeroize temporary values
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
The standard says "temporary value(s) generated during the integrity
|
|
test of the module's software […] shall be zeroised from the module upon
|
|
completion of the integrity test".
|
|
|
|
That includes the computed HMAC value, which is currently not zeroized
|
|
after the test. Add explicit calls to gnutls_memset() to fix that.
|
|
|
|
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
---
|
|
lib/fips.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/lib/fips.c b/lib/fips.c
|
|
index e9c27f6df6..8f4ff22fb9 100644
|
|
--- a/lib/fips.c
|
|
+++ b/lib/fips.c
|
|
@@ -380,10 +380,12 @@ static int check_lib_hmac(struct hmac_entry *entry,
|
|
|
|
if (gnutls_memcmp(entry->hmac, hmac, HMAC_SIZE)) {
|
|
_gnutls_debug_log("Calculated MAC for %s does not match\n", path);
|
|
+ gnutls_memset(hmac, 0, HMAC_SIZE);
|
|
return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
|
|
}
|
|
_gnutls_debug_log("Successfully verified MAC for %s\n", path);
|
|
|
|
+ gnutls_memset(hmac, 0, HMAC_SIZE);
|
|
return 0;
|
|
}
|
|
|
|
--
|
|
2.43.0
|
|
|