Before initalising a live DRBG (i.e. not in test mode) run a complete health

[openssl.git] / fips / rand / fips_drbg_lib.c

diff --git a/fips/rand/fips_drbg_lib.c b/fips/rand/fips_drbg_lib.c
index 7a0a1070e2b21dd740125a1e3256a1ee4bed2ff6..92488767ef6b252f6a7f2d88ab8eca59709d030c 100644 (file)
--- a/fips/rand/fips_drbg_lib.c
+++ b/fips/rand/fips_drbg_lib.c
@@ -84,6 +84,18 @@ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
                        FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
                }
 
+       /* If not in test mode run selftests on DRBG of the same type */
+
+       if (!(dctx->flags & DRBG_FLAG_TEST))
+               {
+               DRBG_CTX tctx;
+               if (!fips_drbg_kat(&tctx, type, flags | DRBG_FLAG_TEST))
+                       {
+                       /*FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);*/
+                       return 0;
+                       }
+               }
+
        return rv;
        }