gnutls/SOURCES/gnutls-3.6.8-fips-aes-cbc-kat.patch

From facea2b7659e11efce7014bda8800574d35dd05d Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 12 Jun 2019 14:02:05 +0200
Subject: [PATCH] fips: run selftests over overridden AES-CBC algorithm

Previously, we only tested nettle's AES-CBC in
_gnutls_fips_perform_self_checks1(), which is called before the
implementation is overridden.  This adds an AES-CBC self-test in
_gnutls_fips_perform_self_checks2() so it can test the actual
implementation.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 lib/fips.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/fips.c b/lib/fips.c
index b92edbbd7..902af5674 100644
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -317,6 +317,12 @@ int _gnutls_fips_perform_self_checks2(void)
 		goto error;
 	}
 
+	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CBC);
+	if (ret < 0) {
+		gnutls_assert();
+		goto error;
+	}
+
 	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_GCM);
 	if (ret < 0) {
 		gnutls_assert();
-- 
2.20.1