lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAMusb+SHmr49Kv+3NwsKKC_di=uOM6svisTEVm7LomGTBFr5OA@mail.gmail.com>
Date: Wed, 16 Apr 2025 17:16:26 +0200
From: Vladis Dronov <vdronov@...hat.com>
To: Ignat Korchagin <ignat@...udflare.com>
Cc: Herbert Xu <herbert@...dor.apana.org.au>, "David S . Miller" <davem@...emloft.net>, 
	Lukas Wunner <lukas@...ner.de>, Stefan Berger <stefanb@...ux.ibm.com>, linux-crypto@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] crypto: ecdsa - explicitly zeroize pub_key

On Mon, Apr 14, 2025 at 5:53 PM Ignat Korchagin <ignat@...udflare.com> wrote:
>
> Hi,
>
> On Mon, Apr 14, 2025 at 3:11 PM Vladis Dronov <vdronov@...hat.com> wrote:
> >
> > The FIPS standard, as a part of the Sensitive Security Parameter area,
> > requires the FIPS module to provide methods to zeroise all the unprotected
> > SSP (Security Sensitive Parameters), i.e. both the CSP (Critical Security
> > Parameters), and the PSP (Public Security Parameters):
> >
> >     A module shall provide methods to zeroise all unprotected SSPs and key
> >     components within the module.
> >
> > This requirement is mentioned in the section AS09.28 "Sensitive security
> > parameter zeroisation – Levels 1, 2, 3, and 4" of FIPS 140-3 / ISO 19790.
> > This is required for the FIPS certification. Thus, add a public key
> > zeroization to ecdsa_ecc_ctx_deinit().
> >
> > Signed-off-by: Vladis Dronov <vdronov@...hat.com>
> > ---
> >  crypto/ecdsa.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c
> > index 117526d15dde..e7f58ad5ac76 100644
> > --- a/crypto/ecdsa.c
> > +++ b/crypto/ecdsa.c
> > @@ -96,10 +96,12 @@ static int ecdsa_ecc_ctx_init(struct ecc_ctx *ctx, unsigned int curve_id)
> >         return 0;
> >  }
> >
> > -
> >  static void ecdsa_ecc_ctx_deinit(struct ecc_ctx *ctx)
> >  {
> >         ctx->pub_key_set = false;
> > +
> > +       memzero_explicit(ctx->x, sizeof(ctx->x));
> > +       memzero_explicit(ctx->y, sizeof(ctx->y));
>
> Isn't this already done with crypto_destroy_tfm()? Or am I missing something?
>
> Ignat

Thank you for your input, Ignat, most appreciated.
Indeed, the memory for ecc_ctx is cleared with kfree_sensitive()
in crypto_destroy_tfm(), you are right. And people at FIPS LAB
seem to be okay with that (for now).

So, please disregard this patch, I'm sorry for the noise.

Best regards,
Vladis

>
> >  }
> >
> >  static int ecdsa_ecc_ctx_reset(struct ecc_ctx *ctx)
> > --
> > 2.49.0
> >
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ