fips: zeroization of public security parameters (PSPs)

author Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>

Sun, 28 Apr 2024 18:40:26 +0000 (19:40 +0100)

committer Tomas Mraz <tomas@openssl.org>

Mon, 13 May 2024 09:14:11 +0000 (11:14 +0200)
author Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Sun, 28 Apr 2024 18:40:26 +0000 (19:40 +0100)
committer Tomas Mraz <tomas@openssl.org>
Mon, 13 May 2024 09:14:11 +0000 (11:14 +0200)
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c

index c92b4dcb0ac45b6581be216383d2cf8a8f4477e3..f6309b303460b66f781ae508996db25566382466 100644 (file)
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -746,9 +746,13 @@ void EC_POINT_free(EC_POINT *point)
      if (point == NULL)
          return;
  
+#ifdef FIPS_MODULE
+    EC_POINT_clear_free(point);
+#else
      if (point->meth->point_finish != 0)
          point->meth->point_finish(point);
      OPENSSL_free(point);
+#endif
  }
  
  void EC_POINT_clear_free(EC_POINT *point)
diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c

index 680f85ffaf8047dd82b1770cf4bae200ec56a103..aa7731015090f3ca1a38f0f2370d780beca1f171 100644 (file)
--- a/crypto/ffc/ffc_params.c
+++ b/crypto/ffc/ffc_params.c
@@ -27,11 +27,19 @@ void ossl_ffc_params_init(FFC_PARAMS *params)
  
  void ossl_ffc_params_cleanup(FFC_PARAMS *params)
  {
+#ifdef FIPS_MODULE
+    BN_clear_free(params->p);
+    BN_clear_free(params->q);
+    BN_clear_free(params->g);
+    BN_clear_free(params->j);
+    OPENSSL_clear_free(params->seed, params->seedlen);
+#else
      BN_free(params->p);
      BN_free(params->q);
      BN_free(params->g);
      BN_free(params->j);
      OPENSSL_free(params->seed);
+#endif
      ossl_ffc_params_init(params);
  }
  
diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c

index 5350a4e659e47cfc79b4ced521f3a3cc8a675284..93ff95187591d39931adc2021631342a2fb53a33 100644 (file)
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -159,8 +159,13 @@ void RSA_free(RSA *r)
      CRYPTO_THREAD_lock_free(r->lock);
      CRYPTO_FREE_REF(&r->references);
  
+#ifdef FIPS_MODULE
+    BN_clear_free(r->n);
+    BN_clear_free(r->e);
+#else
      BN_free(r->n);
      BN_free(r->e);
+#endif
      BN_clear_free(r->d);
      BN_clear_free(r->p);
      BN_clear_free(r->q);
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c

index 3f65346a2b0b72f5016c587812ae40598c5b0f50..0618468075196fb292e0ab76d75236ff30581051 100644 (file)
--- a/providers/implementations/kdfs/hkdf.c
+++ b/providers/implementations/kdfs/hkdf.c
@@ -117,7 +117,11 @@ static void kdf_hkdf_reset(void *vctx)
      void *provctx = ctx->provctx;
  
      ossl_prov_digest_reset(&ctx->digest);
+#ifdef FIPS_MODULE
+    OPENSSL_clear_free(ctx->salt, ctx->salt_len);
+#else
      OPENSSL_free(ctx->salt);
+#endif
      OPENSSL_free(ctx->prefix);
      OPENSSL_free(ctx->label);
      OPENSSL_clear_free(ctx->data, ctx->data_len);
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c

index f2d190c308f6aca2d74bf589390801816395d9e9..bac839ebc623ff4af4e5445385e9663a80b23d7e 100644 (file)
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -90,7 +90,11 @@ static void *kdf_pbkdf2_new(void *provctx)
  static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)
  {
      ossl_prov_digest_reset(&ctx->digest);
+#ifdef FIPS_MODULE
+    OPENSSL_clear_free(ctx->salt, ctx->salt_len);
+#else
      OPENSSL_free(ctx->salt);
+#endif
      OPENSSL_clear_free(ctx->pass, ctx->pass_len);
      memset(ctx, 0, sizeof(*ctx));
  }
author	Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
	Sun, 28 Apr 2024 18:40:26 +0000 (19:40 +0100)
committer	Tomas Mraz <tomas@openssl.org>
	Mon, 13 May 2024 09:14:11 +0000 (11:14 +0200)
crypto/ec/ec_lib.c		patch \| blob \| history
crypto/ffc/ffc_params.c		patch \| blob \| history
crypto/rsa/rsa_lib.c		patch \| blob \| history
providers/implementations/kdfs/hkdf.c		patch \| blob \| history
providers/implementations/kdfs/pbkdf2.c		patch \| blob \| history