From 225a9e296b9c0bb57208241d9bcb7be79a9b8b12 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 15 Feb 2011 16:18:18 +0000 Subject: [PATCH] Update pairwise consistency checks to use SHA-256. --- crypto/dsa/dsa_key.c | 3 +-- crypto/rsa/rsa_gen.c | 6 +++--- fips/fips.c | 3 +++ 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index acc34a5865..fa4fb09c31 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -85,8 +85,7 @@ static int fips_check_dsa(DSA *dsa) pk.type = EVP_PKEY_DSA; pk.pkey.dsa = dsa; - if (!fips_pkey_signature_test(&pk, tbs, -1, - NULL, 0, EVP_sha1(), 0, NULL)) + if (!fips_pkey_signature_test(&pk, tbs, -1, NULL, 0, NULL, 0, NULL)) { FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED); fips_set_selftest_fail(); diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c index 90d6b3cd7c..7bef5dd6bf 100644 --- a/crypto/rsa/rsa_gen.c +++ b/crypto/rsa/rsa_gen.c @@ -94,11 +94,11 @@ int fips_check_rsa(RSA *rsa) /* Perform pairwise consistency signature test */ if (!fips_pkey_signature_test(&pk, tbs, -1, - NULL, 0, EVP_sha1(), RSA_PKCS1_PADDING, NULL) + NULL, 0, NULL, RSA_PKCS1_PADDING, NULL) || !fips_pkey_signature_test(&pk, tbs, -1, - NULL, 0, EVP_sha1(), RSA_X931_PADDING, NULL) + NULL, 0, NULL, RSA_X931_PADDING, NULL) || !fips_pkey_signature_test(&pk, tbs, -1, - NULL, 0, EVP_sha1(), RSA_PKCS1_PSS_PADDING, NULL)) + NULL, 0, NULL, RSA_PKCS1_PSS_PADDING, NULL)) goto err; /* Now perform pairwise consistency encrypt/decrypt test */ ctbuf = OPENSSL_malloc(RSA_size(rsa)); diff --git a/fips/fips.c b/fips/fips.c index 51696b5e7c..6a90328d7e 100644 --- a/fips/fips.c +++ b/fips/fips.c @@ -454,6 +454,9 @@ int fips_pkey_signature_test(EVP_PKEY *pkey, if (tbslen == -1) tbslen = strlen((char *)tbs); + if (digest == NULL) + digest = EVP_sha256(); + if (!FIPS_digestinit(&mctx, digest)) goto error; if (!FIPS_digestupdate(&mctx, tbs, tbslen)) -- 2.25.1