From 58955140b656e3a843fe85dba1d77372488ae311 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Fri, 17 Feb 2023 13:44:47 +0100 Subject: [PATCH] Zeroize FIPS module integrity check MAC after check Resolves: rhbz#2175873 Signed-off-by: Clemens Lang --- 0109-fips-Zeroize-out-in-fips-selftest.patch | 26 ++++++++++++++++++++ openssl.spec | 5 ++++ 2 files changed, 31 insertions(+) create mode 100644 0109-fips-Zeroize-out-in-fips-selftest.patch diff --git a/0109-fips-Zeroize-out-in-fips-selftest.patch b/0109-fips-Zeroize-out-in-fips-selftest.patch new file mode 100644 index 0000000..3cd48df --- /dev/null +++ b/0109-fips-Zeroize-out-in-fips-selftest.patch @@ -0,0 +1,26 @@ +From 9dbc6069665690bd238caa7622647ea8ac94124f Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 13 Feb 2023 11:01:44 +0100 +Subject: fips: Zeroize `out` in fips selftest + +Signed-off-by: Clemens Lang +Resolves: rhbz#2169314 +--- + providers/fips/self_test.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c +index 80d048a847..11a989209c 100644 +--- a/providers/fips/self_test.c ++++ b/providers/fips/self_test.c +@@ -221,6 +221,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex + goto err; + ret = 1; + err: ++ OPENSSL_cleanse(out, sizeof(out)); + OSSL_SELF_TEST_onend(ev, ret); + EVP_MAC_CTX_free(ctx); + EVP_MAC_free(mac); +-- +2.39.1 + diff --git a/openssl.spec b/openssl.spec index bb96821..4b75c23 100644 --- a/openssl.spec +++ b/openssl.spec @@ -166,6 +166,9 @@ Patch106: 0106-CVE-2023-0217-dsa.patch Patch107: 0107-CVE-2023-0286-X400.patch Patch108: 0108-CVE-2023-0401-pkcs7-md.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2169314 +Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch + License: ASL 2.0 URL: http://www.openssl.org/ BuildRequires: gcc g++ @@ -498,6 +501,8 @@ install -m644 %{SOURCE9} \ * Tue Mar 14 2023 Clemens Lang - 1:3.0.7-7 - Add explicit FIPS indicators to key derivation functions Resolves: rhbz#2175860 rhbz#2175864 +- Zeroize FIPS module integrity check MAC after check + Resolves: rhbz#2175873 * Wed Mar 08 2023 Dmitry Belyavskiy - 1:3.0.7-6 - Fixes RNG slowdown in FIPS mode