From 225a9e296b9c0bb57208241d9bcb7be79a9b8b12 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Tue, 15 Feb 2011 16:18:18 +0000
Subject: [PATCH] Update pairwise consistency checks to use SHA-256.
---
crypto/dsa/dsa_key.c | 3 +--
crypto/rsa/rsa_gen.c | 6 +++---
fips/fips.c | 3 +++
3 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c
index acc34a5865..fa4fb09c31 100644
--- a/crypto/dsa/dsa_key.c
+++ b/crypto/dsa/dsa_key.c
@@ -85,8 +85,7 @@ static int fips_check_dsa(DSA *dsa)
pk.type = EVP_PKEY_DSA;
pk.pkey.dsa = dsa;
- if (!fips_pkey_signature_test(&pk, tbs, -1,
- NULL, 0, EVP_sha1(), 0, NULL))
+ if (!fips_pkey_signature_test(&pk, tbs, -1, NULL, 0, NULL, 0, NULL))
{
FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED);
fips_set_selftest_fail();
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index 90d6b3cd7c..7bef5dd6bf 100644
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -94,11 +94,11 @@ int fips_check_rsa(RSA *rsa)
/* Perform pairwise consistency signature test */
if (!fips_pkey_signature_test(&pk, tbs, -1,
- NULL, 0, EVP_sha1(), RSA_PKCS1_PADDING, NULL)
+ NULL, 0, NULL, RSA_PKCS1_PADDING, NULL)
|| !fips_pkey_signature_test(&pk, tbs, -1,
- NULL, 0, EVP_sha1(), RSA_X931_PADDING, NULL)
+ NULL, 0, NULL, RSA_X931_PADDING, NULL)
|| !fips_pkey_signature_test(&pk, tbs, -1,
- NULL, 0, EVP_sha1(), RSA_PKCS1_PSS_PADDING, NULL))
+ NULL, 0, NULL, RSA_PKCS1_PSS_PADDING, NULL))
goto err;
/* Now perform pairwise consistency encrypt/decrypt test */
ctbuf = OPENSSL_malloc(RSA_size(rsa));
diff --git a/fips/fips.c b/fips/fips.c
index 51696b5e7c..6a90328d7e 100644
--- a/fips/fips.c
+++ b/fips/fips.c
@@ -454,6 +454,9 @@ int fips_pkey_signature_test(EVP_PKEY *pkey,
if (tbslen == -1)
tbslen = strlen((char *)tbs);
+ if (digest == NULL)
+ digest = EVP_sha256();
+
if (!FIPS_digestinit(&mctx, digest))
goto error;
if (!FIPS_digestupdate(&mctx, tbs, tbslen))
--
2.40.0