File libkcapi-zeroize-hasher.patch of Package libkcapi.34738

From e6e9288ecce61101ab765bc966ba8f780915802f Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Wed, 1 Nov 2023 10:54:03 +0100
Subject: [PATCH] kcapi-hasher: zeroise temporary values for FIPS 140-3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Requirement introduced by AS05.10:
"The temporary value(s) generated during the integrity test of the
module’s software or firmware shall [05.10] be zeroised from the module
upon completion of the integrity test;"

As some modules use fipscheck or sha*hmac for integrity tests, these
temporary values need to be zeroised from the hasher.

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
 apps/kcapi-hasher.c | 4 ++++
 1 file changed, 4 insertions(+)

Index: libkcapi-0.13.0/apps/kcapi-hasher.c
===================================================================
--- libkcapi-0.13.0.orig/apps/kcapi-hasher.c
+++ libkcapi-0.13.0/apps/kcapi-hasher.c
@@ -237,7 +237,7 @@ static int hasher(struct kcapi_handle *h
 				ret = 1;
 			else
 				ret = 0;
-
+			kcapi_memset_secure(compmd, 0, sizeof(compmd));
 		} else {
 			bin2print(md, ret, filename, outfile);
 			ret = 0;
@@ -247,6 +247,8 @@ static int hasher(struct kcapi_handle *h
 			filename, ret);
 	}
 
+	kcapi_memset_secure(md, 0, sizeof(md));
+
 out:
 	if (memblock)
 		munmap(memblock, sb.st_size);
@@ -440,6 +442,7 @@ out:
 	if (file)
 		fclose(file);
 	kcapi_md_destroy(handle);
+	kcapi_memset_secure(buf, 0, sizeof(buf));
 	return ret;
 
 }