From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 12 Jun 2019 12:02:05 +0000 (+0200)
Subject: fips: run selftests over overridden AES-CBC algorithm
X-Git-Tag: gnutls_3_6_9~31^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=facea2b7659e11efce7014bda8800574d35dd05d;p=thirdparty%2Fgnutls.git

fips: run selftests over overridden AES-CBC algorithm

Previously, we only tested nettle's AES-CBC in
_gnutls_fips_perform_self_checks1(), which is called before the
implementation is overridden.  This adds an AES-CBC self-test in
_gnutls_fips_perform_self_checks2() so it can test the actual
implementation.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---

diff --git a/lib/fips.c b/lib/fips.c
index b92edbbd79..902af56749 100644
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -317,6 +317,12 @@ int _gnutls_fips_perform_self_checks2(void)
 		goto error;
 	}
 
+	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CBC);
+	if (ret < 0) {
+		gnutls_assert();
+		goto error;
+	}
+
 	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_GCM);
 	if (ret < 0) {
 		gnutls_assert();