From: Dr. Stephen Henson <steve@openssl.org>
Date: Sat, 9 Apr 2011 17:27:07 +0000 (+0000)
Subject: Before initalising a live DRBG (i.e. not in test mode) run a complete health
X-Git-Tag: OpenSSL-fips-2_0-rc1~582
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=f3823ddfcf2add3ebe1176412211d92e9b7df46d;p=oweals%2Fopenssl.git

Before initalising a live DRBG (i.e. not in test mode) run a complete health
check on a DRBG of the same type.
---

diff --git a/fips/rand/fips_drbg_lib.c b/fips/rand/fips_drbg_lib.c
index 7a0a1070e2..92488767ef 100644
--- a/fips/rand/fips_drbg_lib.c
+++ b/fips/rand/fips_drbg_lib.c
@@ -84,6 +84,18 @@ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
 			FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
 		}
 
+	/* If not in test mode run selftests on DRBG of the same type */
+
+	if (!(dctx->flags & DRBG_FLAG_TEST))
+		{
+		DRBG_CTX tctx;
+		if (!fips_drbg_kat(&tctx, type, flags | DRBG_FLAG_TEST))
+			{
+			/*FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);*/
+			return 0;
+			}
+		}
+
 	return rv;
 	}