Add a patch to zeroize kcapi-hasher for FIPS 140-3

Resolves: RHEL-15290

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
Zoltan Fridrich 2023-11-06 10:59:37 +01:00
parent 0bb5dedc42
commit 079fd9aefc
2 changed files with 61 additions and 0 deletions

58
003-zeroize-hasher.patch Normal file
View File

@ -0,0 +1,58 @@
From e6e9288ecce61101ab765bc966ba8f780915802f Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Wed, 1 Nov 2023 10:54:03 +0100
Subject: [PATCH] kcapi-hasher: zeroise temporary values for FIPS 140-3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Requirement introduced by AS05.10:
"The temporary value(s) generated during the integrity test of the
modules software or firmware shall [05.10] be zeroised from the module
upon completion of the integrity test;"
As some modules use fipscheck or sha*hmac for integrity tests, these
temporary values need to be zeroised from the hasher.
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
apps/kcapi-hasher.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
index 098b655..f5caf77 100644
--- a/apps/kcapi-hasher.c
+++ b/apps/kcapi-hasher.c
@@ -360,6 +360,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
if (hashlen > (uint32_t)ret) {
fprintf(stderr, "Invalid truncated hash size: %lu > %zd\n",
(unsigned long)hashlen, ret);
+ kcapi_memset_secure(md, 0, sizeof(md));
return (int)ret;
}
@@ -376,6 +377,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
ret = 1;
else
ret = 0;
+ kcapi_memset_secure(compmd, 0, sizeof(compmd));
} else {
if (outfile == NULL) { /* only print hash (hmaccalc -S) */
bin2print(md, hashlen, NULL, stdout,
@@ -396,6 +398,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
fprintf(stderr, "Generation of hash for file %s failed (%zd)\n",
filename ? filename : "stdin", ret);
}
+ kcapi_memset_secure(md, 0, sizeof(md));
return (int)ret;
}
@@ -696,6 +699,7 @@ static int process_checkfile(const struct hash_params *params,
if (file)
fclose(file);
kcapi_md_destroy(handle);
+ kcapi_memset_secure(buf, 0, sizeof(buf));
/*
* If we found no lines to check, return an error.

View File

@ -136,6 +136,7 @@ Source3: fipshmac-openssl.sh
Patch1: 001-tests-kernel-version.patch Patch1: 001-tests-kernel-version.patch
Patch2: 002-fips-disable-ansi_cprng.patch Patch2: 002-fips-disable-ansi_cprng.patch
Patch3: 003-zeroize-hasher.patch
BuildRequires: bash BuildRequires: bash
BuildRequires: coreutils BuildRequires: coreutils
@ -519,6 +520,8 @@ popd
Resolves: RHEL-5366 Resolves: RHEL-5366
- Add a patch to fix auxiliary tests in FIPS mode - Add a patch to fix auxiliary tests in FIPS mode
Resolves: RHEL-2406 Resolves: RHEL-2406
- Add a patch to zeroize kcapi-hasher for FIPS 140-3
Resolves: RHEL-15290
* Tue May 26 2020 Sahana Prasad <sahana@redhat.com> - 1.2.0-2 * Tue May 26 2020 Sahana Prasad <sahana@redhat.com> - 1.2.0-2
- Fix double free issue in hasher() - Fix double free issue in hasher()