libgcrypt/libgcrypt-FIPS-Zeroize-hmac.patch

Index: libgcrypt-1.9.4/src/fips.c
===================================================================
--- libgcrypt-1.9.4.orig/src/fips.c
+++ libgcrypt-1.9.4/src/fips.c
@@ -905,6 +905,10 @@ check_binary_integrity (void)
   char *fname = NULL;
   const char key[] = "orboDeJITITejsirpADONivirpUkvarP";
 
+  /* A buffer of 64 bytes plus one for a LF and one to
+   * detect garbage.  */
+  unsigned char buffer[64+1+1];
+
   if (get_library_path ("libgcrypt.so.20", "gcry_check_version", libpath, sizeof(libpath)))
     err = gpg_error_from_syserror ();
   else
@@ -927,9 +931,6 @@ check_binary_integrity (void)
                 err = gpg_error_from_syserror ();
               else
                 {
-                  /* A buffer of 64 bytes plus one for a LF and one to
-                     detect garbage.  */
-                  unsigned char buffer[64+1+1];
                   const unsigned char *s;
                   int n;
 
@@ -957,6 +958,9 @@ check_binary_integrity (void)
             }
         }
     }
+  /* Zeroize digest and buffer */
+  memset (digest, 0, sizeof(digest));
+  memset (buffer, 0, sizeof(buffer));
   reporter ("binary", 0, fname, err? gpg_strerror (err):NULL);
 #ifdef HAVE_SYSLOG
   if (err)