Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:GA
gnutls.32149
gnutls-zeroization-API-functions.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gnutls-zeroization-API-functions.patch of Package gnutls.32149
From 1f41e967817a86df007bec9ab7c9131811b5530d Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich <zfridric@redhat.com> Date: Mon, 11 Apr 2022 16:04:38 +0200 Subject: [PATCH] Add zeroization of some critical security parameters to comply with FIPS-140-3 requirements Signed-off-by: Zoltan Fridrich <zfridric@redhat.com> --- lib/accelerated/aarch64/hmac-sha-aarch64.c | 5 ++++- lib/accelerated/x86/hmac-padlock.c | 8 +++++++- lib/accelerated/x86/hmac-x86-ssse3.c | 5 ++++- lib/nettle/mac.c | 4 ++++ lib/x509/pkcs7-crypt.c | 21 +++++++++++++++++---- lib/x509/privkey.c | 6 ++++-- lib/x509/privkey_pkcs8.c | 4 +++- 7 files changed, 43 insertions(+), 10 deletions(-) diff --git a/lib/accelerated/aarch64/hmac-sha-aarch64.c b/lib/accelerated/aarch64/hmac-sha-aarch64.c index 47d6c516ce..4748a546c5 100644 --- a/lib/accelerated/aarch64/hmac-sha-aarch64.c +++ b/lib/accelerated/aarch64/hmac-sha-aarch64.c @@ -276,7 +276,10 @@ wrap_aarch64_hmac_output(void *src_ctx, void *digest, size_t digestsize) static void wrap_aarch64_hmac_deinit(void *hd) { - gnutls_free(hd); + struct aarch64_hmac_ctx *ctx = hd; + + zeroize_temp_key(ctx, sizeof(*ctx)); + gnutls_free(ctx); } static int wrap_aarch64_hmac_fast(gnutls_mac_algorithm_t algo, diff --git a/lib/accelerated/x86/hmac-padlock.c b/lib/accelerated/x86/hmac-padlock.c index 9bbd55561a..9cb373fe4a 100644 --- a/lib/accelerated/x86/hmac-padlock.c +++ b/lib/accelerated/x86/hmac-padlock.c @@ -280,7 +280,10 @@ wrap_padlock_hmac_output(void *src_ctx, void *digest, size_t digestsize) static void wrap_padlock_hmac_deinit(void *hd) { - gnutls_free(hd); + struct padlock_hmac_ctx *ctx = hd; + + zeroize_temp_key(ctx, sizeof(*ctx)); + gnutls_free(ctx); } static int @@ -316,6 +319,7 @@ wrap_padlock_hmac_fast(gnutls_mac_algorithm_t algo, pad, text_size + SHA1_DATA_SIZE, &pad2[SHA1_DATA_SIZE]); + zeroize_temp_key(pad, text_size + SHA1_DATA_SIZE); gnutls_free(pad); memset(pad2, OPAD, SHA1_DATA_SIZE); @@ -325,6 +329,8 @@ wrap_padlock_hmac_fast(gnutls_mac_algorithm_t algo, pad2, digest_size + SHA1_DATA_SIZE, digest); + zeroize_temp_key(pad2, sizeof(pad2)); + zeroize_temp_key(hkey, sizeof(hkey)); } else { struct padlock_hmac_ctx ctx; int ret; diff --git a/lib/accelerated/x86/hmac-x86-ssse3.c b/lib/accelerated/x86/hmac-x86-ssse3.c index f4ead02c47..8a60100905 100644 --- a/lib/accelerated/x86/hmac-x86-ssse3.c +++ b/lib/accelerated/x86/hmac-x86-ssse3.c @@ -275,7 +275,10 @@ wrap_x86_hmac_output(void *src_ctx, void *digest, size_t digestsize) static void wrap_x86_hmac_deinit(void *hd) { - gnutls_free(hd); + struct x86_hmac_ctx *ctx = hd; + + zeroize_temp_key(ctx, sizeof(*ctx)); + gnutls_free(ctx); } static int wrap_x86_hmac_fast(gnutls_mac_algorithm_t algo, diff --git a/lib/nettle/mac.c b/lib/nettle/mac.c index 35e070fab0..4ea47e40e8 100644 --- a/lib/nettle/mac.c +++ b/lib/nettle/mac.c @@ -792,6 +792,7 @@ static int wrap_nettle_hash_fast(gnutls_digest_algorithm_t algo, ctx.update(&ctx, text_size, text); } ctx.digest(&ctx, ctx.length, digest); + zeroize_temp_key(&ctx, sizeof(ctx)); return 0; } @@ -872,6 +873,7 @@ wrap_nettle_hkdf_extract (gnutls_mac_algorithm_t mac, hkdf_extract(&ctx.ctx, ctx.update, ctx.digest, ctx.length, keysize, key, output); + zeroize_temp_key(&ctx, sizeof(ctx)); return 0; } @@ -891,6 +893,7 @@ wrap_nettle_hkdf_expand (gnutls_mac_algorithm_t mac, ctx.set_key(&ctx, keysize, key); hkdf_expand(&ctx.ctx, ctx.update, ctx.digest, ctx.length, infosize, info, length, output); + zeroize_temp_key(&ctx, sizeof(ctx)); return 0; } @@ -912,6 +915,7 @@ wrap_nettle_pbkdf2 (gnutls_mac_algorithm_t mac, ctx.set_key(&ctx, keysize, key); pbkdf2(&ctx.ctx, ctx.update, ctx.digest, ctx.length, iter_count, saltsize, salt, length, output); + zeroize_temp_key(&ctx, sizeof(ctx)); return 0; } diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c index 2dc5bc4df0..59eddcd2a4 100644 --- a/lib/x509/pkcs7-crypt.c +++ b/lib/x509/pkcs7-crypt.c @@ -1238,6 +1238,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn, ret = gnutls_cipher_init(&ch, ce->id, &dkey, &d_iv); + zeroize_temp_key(key, key_size); gnutls_free(key); if (ret < 0) { @@ -1282,14 +1283,26 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn, ret = 0; cleanup: - gnutls_free(password); + if (password) { + zeroize_temp_key(password, pass_len); + gnutls_free(password); + } return ret; error: - gnutls_free(password); - gnutls_free(enc.data); - gnutls_free(key); + if (password) { + zeroize_temp_key(password, pass_len); + gnutls_free(password); + } + if (enc.data) { + zeroize_temp_key(enc.data, enc.size); + gnutls_free(enc.data); + } + if (key) { + zeroize_temp_key(key, key_size); + gnutls_free(key); + } if (ch) { gnutls_cipher_deinit(ch); } diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index d1ba65c90f..792a4134d7 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -64,7 +64,7 @@ void _gnutls_x509_privkey_reinit(gnutls_x509_privkey_t key) gnutls_pk_params_clear(&key->params); gnutls_pk_params_release(&key->params); /* avoid re-use of fields which may have had some sensible value */ - memset(&key->params, 0, sizeof(key->params)); + zeroize_key(&key->params, sizeof(key->params)); if (key->key) asn1_delete_structure2(&key->key, ASN1_DELETE_FLAG_ZEROIZE); @@ -614,8 +614,10 @@ gnutls_x509_privkey_import(gnutls_x509_privkey_t key, } cleanup: - if (need_free) + if (need_free) { + zeroize_temp_key(_data.data, _data.size); _gnutls_free_datum(&_data); + } /* The key has now been decoded. */ diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c index 4aa8993307..78c152a605 100644 --- a/lib/x509/privkey_pkcs8.c +++ b/lib/x509/privkey_pkcs8.c @@ -1666,8 +1666,10 @@ gnutls_x509_privkey_import_pkcs8(gnutls_x509_privkey_t key, cleanup: asn1_delete_structure2(&key->key, ASN1_DELETE_FLAG_ZEROIZE); key->params.algo = GNUTLS_PK_UNKNOWN; - if (need_free) + if (need_free) { + zeroize_temp_key(_data.data, _data.size); _gnutls_free_datum(&_data); + } return result; } -- GitLab
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor