diff --git a/crypto/fipsmodule/curve25519/curve25519.c b/crypto/fipsmodule/curve25519/curve25519.c index 3b428cea9d..16249bd1a2 100644 --- a/crypto/fipsmodule/curve25519/curve25519.c +++ b/crypto/fipsmodule/curve25519/curve25519.c @@ -126,6 +126,8 @@ static void ed25519_keypair_pct(uint8_t public_key[ED25519_PUBLIC_KEY_LEN], void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]) { + // We have to avoid the self tests and digest function in ed25519_keypair_pct + // from updating the service indicator. FIPS_service_indicator_lock_state(); boringssl_ensure_eddsa_self_test(); SET_DIT_AUTO_RESET; diff --git a/include/openssl/service_indicator.h b/include/openssl/service_indicator.h index 39ab6ea19b..ba2f4c449d 100644 --- a/include/openssl/service_indicator.h +++ b/include/openssl/service_indicator.h @@ -44,13 +44,19 @@ enum FIPSStatus { // |AWSLC_NOT_APPROVED| accordingly to the approved state of the service ran. // It is highly recommended that users of the service indicator use this macro // when interacting with the service indicator. +// +// This macro tests before != after to handle potential uint64_t rollover in +// long-running applications that use the release build of AWS-LC. Debug builds +// use an assert before + 1 == after to ensure in testing the service indicator +// is operating as expected. #define CALL_SERVICE_AND_CHECK_APPROVED(approved, func) \ do { \ (approved) = AWSLC_NOT_APPROVED; \ int before = FIPS_service_indicator_before_call(); \ func; \ int after = FIPS_service_indicator_after_call(); \ - if (before + 1 == after) { \ + if (before != after) { \ + assert(before + 1 == after); \ (approved) = AWSLC_APPROVED; \ } \ } \