fips: run selftests over overridden AES-CBC algorithm

Previously, we only tested nettle's AES-CBC in
_gnutls_fips_perform_self_checks1(), which is called before the
implementation is overridden.  This adds an AES-CBC self-test in
_gnutls_fips_perform_self_checks2() so it can test the actual
implementation.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

diff --git a/lib/fips.c b/lib/fips.c
index b92edbbd7978b1a967f47ef5d3ceb355d7040c29..902af56749b0bf3fa384938349e94b4f65243b01 100644 (file)
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -317,6 +317,12 @@ int _gnutls_fips_perform_self_checks2(void)
                goto error;
        }
 
+       ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CBC);
+       if (ret < 0) {
+               gnutls_assert();
+               goto error;
+       }
+
        ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_GCM);
        if (ret < 0) {
                gnutls_assert();