projects / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: fa4ee40) | patch
fips: zeroization of public security parameters (PSPs)
authorDimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Sun, 28 Apr 2024 18:40:26 +0000 (19:40 +0100)
committerTomas Mraz <tomas@openssl.org>
Mon, 13 May 2024 09:14:11 +0000 (11:14 +0200)
commitfa338aa7cd1e893679c3e1c47465dcb11f90abfb
tree1e6e01bf380c92578eb72d3ac6c61b21ac6886a8tree | snapshot
parentfa4ee4043473185a5894274a2fa7fa2c4dc15a3ccommit | diff
fips: zeroization of public security parameters (PSPs)

ISO 19790:2012/Cor.1:2015 7.9 requires cryptographic module to provide
methods to zeroise all unproctected security sensitive parameters
(which inclues both Critical/Private **and** Public security
parameters). And those that are temprorarly stored are required to be
zeroised after they are no longer needed at security levels 2 and
higher.

Comply with the above requirements by always zeroising public security
parameters whenever they are freed.

This is currently done under the FIPS feature, however the requirement
comes from the ISO 19790:2012 which may also be needed in other
jurisdictions. If not always. Note FIPS 140-3 includes ISO 19790:2012
by reference.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24355)
crypto/ec/ec_lib.c diff | blob | history
crypto/ffc/ffc_params.c diff | blob | history
crypto/rsa/rsa_lib.c diff | blob | history
providers/implementations/kdfs/hkdf.c diff | blob | history
providers/implementations/kdfs/pbkdf2.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.