Check selftest status in all crypto operations and abort with

a fatal error on failure.

CHANGES

@@ -4,6 +4,10 @@
 
  Changes between 0.9.8e and 0.9.8f-fips  [xx XXX xxxx]
 
+  *) Check for selftest status in all crypto operations and exit with a
+     fatal error if selftest failed.
+     [Steve Henson]
+
   *) New flag in EVP_CIPHER: EVP_CIPH_FLAG_DEFAULT_ASN1. This will
      automatically use EVP_CIPHER_{get,set}_asn1_iv and avoid the
      need for any ASN1 dependencies in FIPS library. Move AES and 3DES

crypto/evp/digest.c

@@ -120,6 +120,9 @@
 
 void EVP_MD_CTX_init(EVP_MD_CTX *ctx)
 	{
+#ifdef OPENSSL_FIPS
+	FIPS_selftest_check();
+#endif
 	memset(ctx,'\0',sizeof *ctx);
 	}
 

crypto/evp/enc_min.c

@@ -68,6 +68,9 @@
 
 void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
 	{
+#ifdef OPENSSL_FIPS
+	FIPS_selftest_check();
+#endif
 	memset(ctx,0,sizeof(EVP_CIPHER_CTX));
 	/* ctx->cipher=NULL; */
 	}

fips-1.0/dh/fips_dh_key.c

@@ -64,6 +64,7 @@
 #endif
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
+#include <openssl/fips.h>
 
 #ifdef OPENSSL_FIPS
 
@@ -241,6 +242,7 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
 
 static int dh_init(DH *dh)
 	{
+	FIPS_selftest_check();
 	dh->flags |= DH_FLAG_CACHE_MONT_P;
 	return(1);
 	}

fips-1.0/dsa/fips_dsa_ossl.c

@@ -377,6 +377,7 @@ static int dsa_do_verify(const unsigned char *dgst, FIPS_DSA_SIZE_T dgst_len, DS
 
 static int dsa_init(DSA *dsa)
 {
+	FIPS_selftest_check();
 	dsa->flags|=DSA_FLAG_CACHE_MONT_P;
 	return(1);
 }

fips-1.0/rsa/fips_rsa_eay.c

@@ -891,6 +891,7 @@ err:
 
 static int RSA_eay_init(RSA *rsa)
 	{
+	FIPS_selftest_check();
 	rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
 	return(1);
 	}