From ffc35e73b49cc2069ad879b0d065810f031d5570 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Mon, 2 Jul 2007 11:22:50 +0000
Subject: [PATCH] Check selftest status in all crypto operations and abort with
 a fatal error on failure.

---
 CHANGES                      | 4 ++++
 crypto/evp/digest.c          | 3 +++
 crypto/evp/enc_min.c         | 3 +++
 fips-1.0/dh/fips_dh_key.c    | 2 ++
 fips-1.0/dsa/fips_dsa_ossl.c | 1 +
 fips-1.0/rsa/fips_rsa_eay.c  | 1 +
 6 files changed, 14 insertions(+)

diff --git a/CHANGES b/CHANGES
index 5cb29ca5fd..37af6c570e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.8e and 0.9.8f-fips  [xx XXX xxxx]
 
+  *) Check for selftest status in all crypto operations and exit with a
+     fatal error if selftest failed.
+     [Steve Henson]
+
   *) New flag in EVP_CIPHER: EVP_CIPH_FLAG_DEFAULT_ASN1. This will
      automatically use EVP_CIPHER_{get,set}_asn1_iv and avoid the
      need for any ASN1 dependencies in FIPS library. Move AES and 3DES
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 9c1a8adf0c..89eda8fd10 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -120,6 +120,9 @@
 
 void EVP_MD_CTX_init(EVP_MD_CTX *ctx)
 	{
+#ifdef OPENSSL_FIPS
+	FIPS_selftest_check();
+#endif
 	memset(ctx,'\0',sizeof *ctx);
 	}
 
diff --git a/crypto/evp/enc_min.c b/crypto/evp/enc_min.c
index dac5ca73d2..d1b14fafc5 100644
--- a/crypto/evp/enc_min.c
+++ b/crypto/evp/enc_min.c
@@ -68,6 +68,9 @@
 
 void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
 	{
+#ifdef OPENSSL_FIPS
+	FIPS_selftest_check();
+#endif
 	memset(ctx,0,sizeof(EVP_CIPHER_CTX));
 	/* ctx->cipher=NULL; */
 	}
diff --git a/fips-1.0/dh/fips_dh_key.c b/fips-1.0/dh/fips_dh_key.c
index b6798076f7..7f5854f476 100644
--- a/fips-1.0/dh/fips_dh_key.c
+++ b/fips-1.0/dh/fips_dh_key.c
@@ -64,6 +64,7 @@
 #endif
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
+#include <openssl/fips.h>
 
 #ifdef OPENSSL_FIPS
 
@@ -241,6 +242,7 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
 
 static int dh_init(DH *dh)
 	{
+	FIPS_selftest_check();
 	dh->flags |= DH_FLAG_CACHE_MONT_P;
 	return(1);
 	}
diff --git a/fips-1.0/dsa/fips_dsa_ossl.c b/fips-1.0/dsa/fips_dsa_ossl.c
index c00a9c4c89..fb3893afc3 100644
--- a/fips-1.0/dsa/fips_dsa_ossl.c
+++ b/fips-1.0/dsa/fips_dsa_ossl.c
@@ -377,6 +377,7 @@ static int dsa_do_verify(const unsigned char *dgst, FIPS_DSA_SIZE_T dgst_len, DS
 
 static int dsa_init(DSA *dsa)
 {
+	FIPS_selftest_check();
 	dsa->flags|=DSA_FLAG_CACHE_MONT_P;
 	return(1);
 }
diff --git a/fips-1.0/rsa/fips_rsa_eay.c b/fips-1.0/rsa/fips_rsa_eay.c
index 45b3bd1b1a..69170b16b3 100644
--- a/fips-1.0/rsa/fips_rsa_eay.c
+++ b/fips-1.0/rsa/fips_rsa_eay.c
@@ -891,6 +891,7 @@ err:
 
 static int RSA_eay_init(RSA *rsa)
 	{
+	FIPS_selftest_check();
 	rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
 	return(1);
 	}
-- 
2.25.1