59 lines
2.1 KiB
Diff
59 lines
2.1 KiB
Diff
|
From e6e9288ecce61101ab765bc966ba8f780915802f Mon Sep 17 00:00:00 2001
|
|||
|
|
From: Zoltan Fridrich <zfridric@redhat.com>
|
|||
|
|
Date: Wed, 1 Nov 2023 10:54:03 +0100
|
|||
|
|
Subject: [PATCH] kcapi-hasher: zeroise temporary values for FIPS 140-3
|
|||
|
|
MIME-Version: 1.0
|
|||
|
|
Content-Type: text/plain; charset=UTF-8
|
|||
|
|
Content-Transfer-Encoding: 8bit
|
|||
|
|
|
|||
|
|
Requirement introduced by AS05.10:
|
|||
|
|
"The temporary value(s) generated during the integrity test of the
|
|||
|
|
module’s software or firmware shall [05.10] be zeroised from the module
|
|||
|
|
upon completion of the integrity test;"
|
|||
|
|
|
|||
|
|
As some modules use fipscheck or sha*hmac for integrity tests, these
|
|||
|
|
temporary values need to be zeroised from the hasher.
|
|||
|
|
|
|||
|
|
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
|||
|
|
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|||
|
|
---
|
|||
|
|
apps/kcapi-hasher.c | 4 ++++
|
|||
|
|
1 file changed, 4 insertions(+)
|
|||
|
|
|
|||
|
|
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
|||
|
|
index 098b655..f5caf77 100644
|
|||
|
|
--- a/apps/kcapi-hasher.c
|
|||
|
|
+++ b/apps/kcapi-hasher.c
|
|||
|
|
@@ -360,6 +360,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
|
|||
|
|
if (hashlen > (uint32_t)ret) {
|
|||
|
|
fprintf(stderr, "Invalid truncated hash size: %lu > %zd\n",
|
|||
|
|
(unsigned long)hashlen, ret);
|
|||
|
|
+ kcapi_memset_secure(md, 0, sizeof(md));
|
|||
|
|
return (int)ret;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
@@ -376,6 +377,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
|
|||
|
|
ret = 1;
|
|||
|
|
else
|
|||
|
|
ret = 0;
|
|||
|
|
+ kcapi_memset_secure(compmd, 0, sizeof(compmd));
|
|||
|
|
} else {
|
|||
|
|
if (outfile == NULL) { /* only print hash (hmaccalc -S) */
|
|||
|
|
bin2print(md, hashlen, NULL, stdout,
|
|||
|
|
@@ -396,6 +398,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
|
|||
|
|
fprintf(stderr, "Generation of hash for file %s failed (%zd)\n",
|
|||
|
|
filename ? filename : "stdin", ret);
|
|||
|
|
}
|
|||
|
|
+ kcapi_memset_secure(md, 0, sizeof(md));
|
|||
|
|
return (int)ret;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
@@ -696,6 +699,7 @@ static int process_checkfile(const struct hash_params *params,
|
|||
|
|
if (file)
|
|||
|
|
fclose(file);
|
|||
|
|
kcapi_md_destroy(handle);
|
|||
|
|
+ kcapi_memset_secure(buf, 0, sizeof(buf));
|
|||
|
|
|
|||
|
|
/*
|
|||
|
|
* If we found no lines to check, return an error.
|