libgcrypt/libgcrypt-FIPS-Zeroize-hmac.patch

Index: libgcrypt-1.9.4/src/fips.c
===================================================================
--- libgcrypt-1.9.4.orig/src/fips.c
+++ libgcrypt-1.9.4/src/fips.c
@@ -905,6 +905,10 @@ check_binary_integrity (void)
   char *fname = NULL;
   const char key[] = "orboDeJITITejsirpADONivirpUkvarP";
 
+  /* A buffer of 64 bytes plus one for a LF and one to
+   * detect garbage.  */
+  unsigned char buffer[64+1+1];
+
   if (get_library_path ("libgcrypt.so.20", "gcry_check_version", libpath, sizeof(libpath)))
     err = gpg_error_from_syserror ();
   else
@@ -927,9 +931,6 @@ check_binary_integrity (void)
                 err = gpg_error_from_syserror ();
               else
                 {
-                  /* A buffer of 64 bytes plus one for a LF and one to
-                     detect garbage.  */
-                  unsigned char buffer[64+1+1];
                   const unsigned char *s;
                   int n;
 
@@ -957,6 +958,9 @@ check_binary_integrity (void)
             }
         }
     }
+  /* Zeroize digest and buffer */
+  memset (digest, 0, sizeof(digest));
+  memset (buffer, 0, sizeof(buffer));
   reporter ("binary", 0, fname, err? gpg_strerror (err):NULL);
 #ifdef HAVE_SYSLOG
   if (err)
Accepting request 1004104 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - FIPS: Get most of the entropy from rndjent_poll [bsc#1202117] * Add libgcrypt-FIPS-rndjent_poll.patch * Rebase libgcrypt-jitterentropy-3.4.0.patch - FIPS: Check keylength in gcry_fips_indicator_kdf() [bsc#1190700] * Consider approved keylength greater or equal to 112 bits. * Add libgcrypt-FIPS-kdf-leylength.patch - FIPS: Zeroize buffer and digest in check_binary_integrity() * Add libgcrypt-FIPS-Zeroize-hmac.patch [bsc#1191020] OBS-URL: https://build.opensuse.org/request/show/1004104 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=158 2022-09-16 23:00:13 +02:00			`Index: libgcrypt-1.9.4/src/fips.c`
			`===================================================================`
			`--- libgcrypt-1.9.4.orig/src/fips.c`
			`+++ libgcrypt-1.9.4/src/fips.c`
			`@@ -905,6 +905,10 @@ check_binary_integrity (void)`
			`char *fname = NULL;`
			`const char key[] = "orboDeJITITejsirpADONivirpUkvarP";`

			`+ /* A buffer of 64 bytes plus one for a LF and one to`
			`+ * detect garbage. */`
			`+ unsigned char buffer[64+1+1];`
			`+`
			`if (get_library_path ("libgcrypt.so.20", "gcry_check_version", libpath, sizeof(libpath)))`
			`err = gpg_error_from_syserror ();`
			`else`
			`@@ -927,9 +931,6 @@ check_binary_integrity (void)`
			`err = gpg_error_from_syserror ();`
			`else`
			`{`
			`- /* A buffer of 64 bytes plus one for a LF and one to`
			`- detect garbage. */`
			`- unsigned char buffer[64+1+1];`
			`const unsigned char *s;`
			`int n;`

			`@@ -957,6 +958,9 @@ check_binary_integrity (void)`
			`}`
			`}`
			`}`
			`+ /* Zeroize digest and buffer */`
			`+ memset (digest, 0, sizeof(digest));`
			`+ memset (buffer, 0, sizeof(buffer));`
			`reporter ("binary", 0, fname, err? gpg_strerror (err):NULL);`
			`#ifdef HAVE_SYSLOG`
			`if (err)`