Pedro Monreal Gonzalez
a52145f041
- FIPS: Get most of the entropy from rndjent_poll [bsc#1202117] * Add libgcrypt-FIPS-rndjent_poll.patch * Rebase libgcrypt-jitterentropy-3.4.0.patch - FIPS: Check keylength in gcry_fips_indicator_kdf() [bsc#1190700] * Consider approved keylength greater or equal to 112 bits. * Add libgcrypt-FIPS-kdf-leylength.patch - FIPS: Zeroize buffer and digest in check_binary_integrity() * Add libgcrypt-FIPS-Zeroize-hmac.patch [bsc#1191020] OBS-URL: https://build.opensuse.org/request/show/1004104 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=158
36 lines
1.2 KiB
Diff
36 lines
1.2 KiB
Diff
Index: libgcrypt-1.9.4/src/fips.c
|
|
===================================================================
|
|
--- libgcrypt-1.9.4.orig/src/fips.c
|
|
+++ libgcrypt-1.9.4/src/fips.c
|
|
@@ -905,6 +905,10 @@ check_binary_integrity (void)
|
|
char *fname = NULL;
|
|
const char key[] = "orboDeJITITejsirpADONivirpUkvarP";
|
|
|
|
+ /* A buffer of 64 bytes plus one for a LF and one to
|
|
+ * detect garbage. */
|
|
+ unsigned char buffer[64+1+1];
|
|
+
|
|
if (get_library_path ("libgcrypt.so.20", "gcry_check_version", libpath, sizeof(libpath)))
|
|
err = gpg_error_from_syserror ();
|
|
else
|
|
@@ -927,9 +931,6 @@ check_binary_integrity (void)
|
|
err = gpg_error_from_syserror ();
|
|
else
|
|
{
|
|
- /* A buffer of 64 bytes plus one for a LF and one to
|
|
- detect garbage. */
|
|
- unsigned char buffer[64+1+1];
|
|
const unsigned char *s;
|
|
int n;
|
|
|
|
@@ -957,6 +958,9 @@ check_binary_integrity (void)
|
|
}
|
|
}
|
|
}
|
|
+ /* Zeroize digest and buffer */
|
|
+ memset (digest, 0, sizeof(digest));
|
|
+ memset (buffer, 0, sizeof(buffer));
|
|
reporter ("binary", 0, fname, err? gpg_strerror (err):NULL);
|
|
#ifdef HAVE_SYSLOG
|
|
if (err)
|