lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALrw=nHS9UnMMwXfYo_6goDi==DD5feeemxqAXXAWvA0yOi_cw@mail.gmail.com>
Date: Mon, 14 Apr 2025 17:52:45 +0200
From: Ignat Korchagin <ignat@...udflare.com>
To: Vladis Dronov <vdronov@...hat.com>
Cc: Herbert Xu <herbert@...dor.apana.org.au>, "David S . Miller" <davem@...emloft.net>, 
	Lukas Wunner <lukas@...ner.de>, Stefan Berger <stefanb@...ux.ibm.com>, linux-crypto@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] crypto: ecdsa - explicitly zeroize pub_key

Hi,

On Mon, Apr 14, 2025 at 3:11 PM Vladis Dronov <vdronov@...hat.com> wrote:
>
> The FIPS standard, as a part of the Sensitive Security Parameter area,
> requires the FIPS module to provide methods to zeroise all the unprotected
> SSP (Security Sensitive Parameters), i.e. both the CSP (Critical Security
> Parameters), and the PSP (Public Security Parameters):
>
>     A module shall provide methods to zeroise all unprotected SSPs and key
>     components within the module.
>
> This requirement is mentioned in the section AS09.28 "Sensitive security
> parameter zeroisation – Levels 1, 2, 3, and 4" of FIPS 140-3 / ISO 19790.
> This is required for the FIPS certification. Thus, add a public key
> zeroization to ecdsa_ecc_ctx_deinit().
>
> Signed-off-by: Vladis Dronov <vdronov@...hat.com>
> ---
>  crypto/ecdsa.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c
> index 117526d15dde..e7f58ad5ac76 100644
> --- a/crypto/ecdsa.c
> +++ b/crypto/ecdsa.c
> @@ -96,10 +96,12 @@ static int ecdsa_ecc_ctx_init(struct ecc_ctx *ctx, unsigned int curve_id)
>         return 0;
>  }
>
> -
>  static void ecdsa_ecc_ctx_deinit(struct ecc_ctx *ctx)
>  {
>         ctx->pub_key_set = false;
> +
> +       memzero_explicit(ctx->x, sizeof(ctx->x));
> +       memzero_explicit(ctx->y, sizeof(ctx->y));

Isn't this already done with crypto_destroy_tfm()? Or am I missing something?

Ignat

>  }
>
>  static int ecdsa_ecc_ctx_reset(struct ecc_ctx *ctx)
> --
> 2.49.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ