Zeroize FIPS module integrity check MAC after check

Resolves: rhbz#2175873 Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-02-17 13:44:47 +01:00 · 2023-02-17 13:44:47 +01:00 · 58955140b6
commit 58955140b6
parent 6a9e17a8c1
2 changed files with 31 additions and 0 deletions
--- a/0109-fips-Zeroize-out-in-fips-selftest.patch
+++ b/0109-fips-Zeroize-out-in-fips-selftest.patch
@ -0,0 +1,26 @@
+From 9dbc6069665690bd238caa7622647ea8ac94124f Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Mon, 13 Feb 2023 11:01:44 +0100
+Subject: fips: Zeroize `out` in fips selftest
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+Resolves: rhbz#2169314
+---
+ providers/fips/self_test.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
+index 80d048a847..11a989209c 100644
+--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
+@@ -221,6 +221,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
+         goto err;
+     ret = 1;
+ err:
+    OPENSSL_cleanse(out, sizeof(out));
+     OSSL_SELF_TEST_onend(ev, ret);
+     EVP_MAC_CTX_free(ctx);
+     EVP_MAC_free(mac);
+-- 
+2.39.1
+
--- a/openssl.spec
+++ b/openssl.spec
@ -166,6 +166,9 @@ Patch106: 0106-CVE-2023-0217-dsa.patch
 Patch107: 0107-CVE-2023-0286-X400.patch
 Patch108: 0108-CVE-2023-0401-pkcs7-md.patch

+# https://bugzilla.redhat.com/show_bug.cgi?id=2169314
+Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch
+
 License: ASL 2.0
 URL: http://www.openssl.org/
 BuildRequires: gcc g++
@ -498,6 +501,8 @@ install -m644 %{SOURCE9} \
 * Tue Mar 14 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-7
 - Add explicit FIPS indicators to key derivation functions
  Resolves: rhbz#2175860 rhbz#2175864
+- Zeroize FIPS module integrity check MAC after check
+  Resolves: rhbz#2175873

 * Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6
 - Fixes RNG slowdown in FIPS mode