fips: Improve selftests invocation.

* src/fips.c (run_digest_selftests): Skip SHA256 selftest if they were already executed as part of the integrity check. (run_mac_selftests): Skip HMAC-SHA256 selftest if they were already executed as part of the integrity check. (run_hmac_sha256_selftests): Run SHA256 selftest too. (_gcry_fips_run_selftests): Run the sha256 selftests regardless of the fips mode status. -- Prevent running the SHA256 tests twice and runs the SHA256 test before the HMAC-SHA256 also from when manually invoked. GnuPG-bug-id: 5617 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
author: Jakub Jelen <jjelen@redhat.com> 2021-10-14 17:58:57 +0200
committer: NIIBE Yutaka <gniibe@fsij.org> 2021-10-15 11:33:08 +0900
commit: d45db4ad16fec0fe7d32aae60f356a386fbf909b (patch)
tree: 8c92b00c744a96f5df2d75e702017ddaa23902b2
parent: b496868dc37d1e9a899e127f54f5c3d5ee2e91cc (diff)
download: libgcrypt-d45db4ad16fec0fe7d32aae60f356a386fbf909b.tar.gz
1 files changed, 18 insertions, 4 deletions
diff --git a/src/fips.c b/src/fips.c
index 29cb8445..e0b76d22 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -385,7 +385,9 @@ run_digest_selftests (int extended)
     {
       GCRY_MD_SHA1,
       GCRY_MD_SHA224,
+#ifndef ENABLE_HMAC_BINARY_CHECK
       GCRY_MD_SHA256,
+#endif
       GCRY_MD_SHA384,
       GCRY_MD_SHA512,
       0
@@ -414,7 +416,9 @@ run_mac_selftests (int extended)
     {
       GCRY_MAC_HMAC_SHA1,
       GCRY_MAC_HMAC_SHA224,
+#ifndef ENABLE_HMAC_BINARY_CHECK
       GCRY_MAC_HMAC_SHA256,
+#endif
       GCRY_MAC_HMAC_SHA384,
       GCRY_MAC_HMAC_SHA512,
       GCRY_MAC_HMAC_SHA3_224,
@@ -638,11 +642,21 @@ static int
 run_hmac_sha256_selftests (int extended)
 {
   gpg_error_t err;
+  int anyerr = 0;
+
+  err = _gcry_md_selftest (GCRY_MD_SHA256, extended, reporter);
+  reporter ("digest", GCRY_MD_SHA256, NULL,
+            err? gpg_strerror (err):NULL);
+  if (err)
+    anyerr = 1;
 
   err = _gcry_mac_selftest (GCRY_MAC_HMAC_SHA256, extended, reporter);
   reporter ("mac", GCRY_MAC_HMAC_SHA256, NULL,
             err? gpg_strerror (err):NULL);
-  return err ? 1 : 0;
+  if (err)
+    anyerr = 1;
+
+  return anyerr;
 }
 #endif
 
@@ -659,11 +673,11 @@ _gcry_fips_run_selftests (int extended)
     fips_new_state (STATE_SELFTEST);
 
 #ifdef ENABLE_HMAC_BINARY_CHECK
+  if (run_hmac_sha256_selftests (extended))
+    goto leave;
+
   if (fips_mode ())
     {
-      if (run_hmac_sha256_selftests (extended))
-        goto leave;
-
       /* Now check the integrity of the binary.  We do this this after
          having checked the HMAC code.  */
       if (check_binary_integrity ())
author	Jakub Jelen <jjelen@redhat.com>	2021-10-14 17:58:57 +0200
committer	NIIBE Yutaka <gniibe@fsij.org>	2021-10-15 11:33:08 +0900
commit	d45db4ad16fec0fe7d32aae60f356a386fbf909b (patch)
tree	8c92b00c744a96f5df2d75e702017ddaa23902b2
parent	b496868dc37d1e9a899e127f54f5c3d5ee2e91cc (diff)
download	libgcrypt-d45db4ad16fec0fe7d32aae60f356a386fbf909b.tar.gz