crypto/internal/fips140: zeroise integrity test temporary values

There is no point to zeroise anything here because there are no secrets, but there is a strict FIPS 140-3 test requirement for it. > TE05.08.02 (Levels 1, 2, 3, and 4): verify that any temporary values > generated during the integrity test are zeroised upon completion of > the integrity test Change-Id: I7b0db075dae9910f8e825a22ca2caa2b4c918980 Reviewed-on: https://go-review.googlesource.com/c/go/+/636556 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Michael Pratt <mpratt@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org>
2025-12-08 06:10:04 +00:00 · 2024-12-16 17:20:46 +01:00 · 2024-12-16 17:20:46 +01:00 · 27c5164374
commit 27c5164374
parent d8ad4af78b
1 changed files with 7 additions and 0 deletions
--- a/src/crypto/internal/fips140/check/check.go
+++ b/src/crypto/internal/fips140/check/check.go
@ -93,6 +93,13 @@ func init() {
 		panic("fips140: verification mismatch")
 	}

+	// "The temporary value(s) generated during the integrity test of the
+	// module’s software or firmware shall [05.10] be zeroised from the module
+	// upon completion of the integrity test"
+	clear(sum)
+	clear(nbuf[:])
+	h.Reset()
+
 	if godebug.Value("#fips140") == "debug" {
 		println("fips140: verified code+data")
 	}