Check selftest status in all crypto operations and abort with

a fatal error on failure.

diff --git a/CHANGES b/CHANGES
index 5cb29ca5fd7fbfa6c068e635c1b364af8217c6fc..37af6c570e136571d78ff67f655db802b6d6c494 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.8e and 0.9.8f-fips  [xx XXX xxxx]
 
+  *) Check for selftest status in all crypto operations and exit with a
+     fatal error if selftest failed.
+     [Steve Henson]
+
   *) New flag in EVP_CIPHER: EVP_CIPH_FLAG_DEFAULT_ASN1. This will
      automatically use EVP_CIPHER_{get,set}_asn1_iv and avoid the
      need for any ASN1 dependencies in FIPS library. Move AES and 3DES

diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 9c1a8adf0cd5bd5732935132b1dc1eb8b9c85158..89eda8fd1060c50371bd2d7b2990d6380f567df8 100644 (file)
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -120,6 +120,9 @@
 
 void EVP_MD_CTX_init(EVP_MD_CTX *ctx)
        {
+#ifdef OPENSSL_FIPS
+       FIPS_selftest_check();
+#endif
        memset(ctx,'\0',sizeof *ctx);
        }
 

diff --git a/crypto/evp/enc_min.c b/crypto/evp/enc_min.c
index dac5ca73d2ec6c075fde3991e3d663b07f4e47f5..d1b14fafc5c681169c084ff3baad31fa7dd58fcd 100644 (file)
--- a/crypto/evp/enc_min.c
+++ b/crypto/evp/enc_min.c
@@ -68,6 +68,9 @@
 
 void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
        {
+#ifdef OPENSSL_FIPS
+       FIPS_selftest_check();
+#endif
        memset(ctx,0,sizeof(EVP_CIPHER_CTX));
        /* ctx->cipher=NULL; */
        }

diff --git a/fips-1.0/dh/fips_dh_key.c b/fips-1.0/dh/fips_dh_key.c
index b6798076f7308780389437a536027b49f6a3e374..7f5854f4761a03bc6882d6ef58b3be1d27dbfe04 100644 (file)
--- a/fips-1.0/dh/fips_dh_key.c
+++ b/fips-1.0/dh/fips_dh_key.c
@@ -64,6 +64,7 @@
 #endif
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
+#include <openssl/fips.h>
 
 #ifdef OPENSSL_FIPS
 
@@ -241,6 +242,7 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
 
 static int dh_init(DH *dh)
        {
+       FIPS_selftest_check();
        dh->flags |= DH_FLAG_CACHE_MONT_P;
        return(1);
        }

diff --git a/fips-1.0/dsa/fips_dsa_ossl.c b/fips-1.0/dsa/fips_dsa_ossl.c
index c00a9c4c89756af023b63b9332965431f2504f86..fb3893afc38e0bef5a2d52b6648cbe72312739a7 100644 (file)
--- a/fips-1.0/dsa/fips_dsa_ossl.c
+++ b/fips-1.0/dsa/fips_dsa_ossl.c
@@ -377,6 +377,7 @@ static int dsa_do_verify(const unsigned char *dgst, FIPS_DSA_SIZE_T dgst_len, DS
 
 static int dsa_init(DSA *dsa)
 {
+       FIPS_selftest_check();
        dsa->flags|=DSA_FLAG_CACHE_MONT_P;
        return(1);
 }

diff --git a/fips-1.0/rsa/fips_rsa_eay.c b/fips-1.0/rsa/fips_rsa_eay.c
index 45b3bd1b1a289415d8b4c14e0711cc1fc2ac9820..69170b16b3b88dffe5a8a6f977d337ba053b56ee 100644 (file)
--- a/fips-1.0/rsa/fips_rsa_eay.c
+++ b/fips-1.0/rsa/fips_rsa_eay.c
@@ -891,6 +891,7 @@ err:
 
 static int RSA_eay_init(RSA *rsa)
        {
+       FIPS_selftest_check();
        rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
        return(1);
        }