From e6e9288ecce61101ab765bc966ba8f780915802f Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Wed, 1 Nov 2023 10:54:03 +0100 Subject: [PATCH] kcapi-hasher: zeroise temporary values for FIPS 140-3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Requirement introduced by AS05.10: "The temporary value(s) generated during the integrity test of the module’s software or firmware shall [05.10] be zeroised from the module upon completion of the integrity test;" As some modules use fipscheck or sha*hmac for integrity tests, these temporary values need to be zeroised from the hasher. Signed-off-by: Zoltan Fridrich Signed-off-by: Stephan Mueller --- apps/kcapi-hasher.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c index 098b655..f5caf77 100644 --- a/apps/kcapi-hasher.c +++ b/apps/kcapi-hasher.c @@ -360,6 +360,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params, if (hashlen > (uint32_t)ret) { fprintf(stderr, "Invalid truncated hash size: %lu > %zd\n", (unsigned long)hashlen, ret); + kcapi_memset_secure(md, 0, sizeof(md)); return (int)ret; } @@ -376,6 +377,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params, ret = 1; else ret = 0; + kcapi_memset_secure(compmd, 0, sizeof(compmd)); } else { if (outfile == NULL) { /* only print hash (hmaccalc -S) */ bin2print(md, hashlen, NULL, stdout, @@ -396,6 +398,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params, fprintf(stderr, "Generation of hash for file %s failed (%zd)\n", filename ? filename : "stdin", ret); } + kcapi_memset_secure(md, 0, sizeof(md)); return (int)ret; } @@ -696,6 +699,7 @@ static int process_checkfile(const struct hash_params *params, if (file) fclose(file); kcapi_md_destroy(handle); + kcapi_memset_secure(buf, 0, sizeof(buf)); /* * If we found no lines to check, return an error.