diff options
| author | Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk> | 2024-04-28 19:40:26 +0100 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2024-05-13 11:14:11 +0200 |
| commit | fa338aa7cd1e893679c3e1c47465dcb11f90abfb (patch) | |
| tree | 1e6e01bf380c92578eb72d3ac6c61b21ac6886a8 /providers | |
| parent | fa4ee4043473185a5894274a2fa7fa2c4dc15a3c (diff) | |
fips: zeroization of public security parameters (PSPs)
ISO 19790:2012/Cor.1:2015 7.9 requires cryptographic module to provide
methods to zeroise all unproctected security sensitive parameters
(which inclues both Critical/Private **and** Public security
parameters). And those that are temprorarly stored are required to be
zeroised after they are no longer needed at security levels 2 and
higher.
Comply with the above requirements by always zeroising public security
parameters whenever they are freed.
This is currently done under the FIPS feature, however the requirement
comes from the ISO 19790:2012 which may also be needed in other
jurisdictions. If not always. Note FIPS 140-3 includes ISO 19790:2012
by reference.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24355)
Diffstat (limited to 'providers')
| -rw-r--r-- | providers/implementations/kdfs/hkdf.c | 4 | ||||
| -rw-r--r-- | providers/implementations/kdfs/pbkdf2.c | 4 |
2 files changed, 8 insertions, 0 deletions
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index 3f65346a2b..0618468075 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -117,7 +117,11 @@ static void kdf_hkdf_reset(void *vctx) void *provctx = ctx->provctx; ossl_prov_digest_reset(&ctx->digest); +#ifdef FIPS_MODULE + OPENSSL_clear_free(ctx->salt, ctx->salt_len); +#else OPENSSL_free(ctx->salt); +#endif OPENSSL_free(ctx->prefix); OPENSSL_free(ctx->label); OPENSSL_clear_free(ctx->data, ctx->data_len); diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c index f2d190c308..bac839ebc6 100644 --- a/providers/implementations/kdfs/pbkdf2.c +++ b/providers/implementations/kdfs/pbkdf2.c @@ -90,7 +90,11 @@ static void *kdf_pbkdf2_new(void *provctx) static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx) { ossl_prov_digest_reset(&ctx->digest); +#ifdef FIPS_MODULE + OPENSSL_clear_free(ctx->salt, ctx->salt_len); +#else OPENSSL_free(ctx->salt); +#endif OPENSSL_clear_free(ctx->pass, ctx->pass_len); memset(ctx, 0, sizeof(*ctx)); } |