Zeroize FIPS module integrity check MAC after check

Resolves: rhbz#2175873
Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
Clemens Lang 2023-02-17 13:44:47 +01:00
parent 6a9e17a8c1
commit 58955140b6
2 changed files with 31 additions and 0 deletions

View File

@ -0,0 +1,26 @@
From 9dbc6069665690bd238caa7622647ea8ac94124f Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Mon, 13 Feb 2023 11:01:44 +0100
Subject: fips: Zeroize `out` in fips selftest
Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2169314
---
providers/fips/self_test.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
index 80d048a847..11a989209c 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -221,6 +221,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
goto err;
ret = 1;
err:
+ OPENSSL_cleanse(out, sizeof(out));
OSSL_SELF_TEST_onend(ev, ret);
EVP_MAC_CTX_free(ctx);
EVP_MAC_free(mac);
--
2.39.1

View File

@ -166,6 +166,9 @@ Patch106: 0106-CVE-2023-0217-dsa.patch
Patch107: 0107-CVE-2023-0286-X400.patch Patch107: 0107-CVE-2023-0286-X400.patch
Patch108: 0108-CVE-2023-0401-pkcs7-md.patch Patch108: 0108-CVE-2023-0401-pkcs7-md.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2169314
Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch
License: ASL 2.0 License: ASL 2.0
URL: http://www.openssl.org/ URL: http://www.openssl.org/
BuildRequires: gcc g++ BuildRequires: gcc g++
@ -498,6 +501,8 @@ install -m644 %{SOURCE9} \
* Tue Mar 14 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-7 * Tue Mar 14 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-7
- Add explicit FIPS indicators to key derivation functions - Add explicit FIPS indicators to key derivation functions
Resolves: rhbz#2175860 rhbz#2175864 Resolves: rhbz#2175860 rhbz#2175864
- Zeroize FIPS module integrity check MAC after check
Resolves: rhbz#2175873
* Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6 * Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6
- Fixes RNG slowdown in FIPS mode - Fixes RNG slowdown in FIPS mode