File gnutls-FIPS-Zeroize-check_binary_integrity.patch of Package gnutls.28150
Index: gnutls-3.7.3/lib/fips.c
===================================================================
--- gnutls-3.7.3.orig/lib/fips.c
+++ gnutls-3.7.3/lib/fips.c
@@ -267,10 +267,15 @@ static unsigned check_binary_integrity(c
if (hmac_size != sizeof(hmac) ||
memcmp(hmac, new_hmac, sizeof(hmac)) != 0) {
_gnutls_debug_log("Calculated MAC for %s does not match\n", libname);
+ zeroize_key(hmac, sizeof(hmac));
+ zeroize_key(new_hmac, sizeof(new_hmac));
return gnutls_assert_val(0);
}
_gnutls_debug_log("Successfully verified MAC for %s (%s)\n", mac_file, libname);
-
+
+ zeroize_key(hmac, sizeof(hmac));
+ zeroize_key(new_hmac, sizeof(new_hmac));
+
return 1;
}