9 files changed, 45 insertions, 10 deletions
diff --git a/random/ChangeLog b/random/ChangeLog
index bb308688..19042680 100644
--- a/random/ChangeLog
+++ b/random/ChangeLog
@@ -1,3 +1,8 @@
+2008-09-05  Werner Koch  <wk@g10code.com>
+
+	* random.c (_gcry_random_selftest): Return success if not in fips
+	mode.
+
 2008-09-01  Werner Koch  <wk@g10code.com>
 
 	* random-fips.c (x931_get_dt) [W32]: Do not use getppid.
diff --git a/random/random-fips.c b/random/random-fips.c
index effce500..f81ab466 100644
--- a/random/random-fips.c
+++ b/random/random-fips.c
@@ -783,6 +783,9 @@ _gcry_rngfips_is_faked (void)
 gcry_error_t
 _gcry_rngfips_add_bytes (const void *buf, size_t buflen, int quality)
 {
+  (void)buf;
+  (void)buflen;
+  (void)quality;
   return 0;  /* Not implemented. */
 }   
 
diff --git a/random/random.c b/random/random.c
index 3e71195d..7a286b8e 100644
--- a/random/random.c
+++ b/random/random.c
@@ -280,6 +280,6 @@ _gcry_random_selftest (selftest_report_func_t report)
   if (fips_mode ())
     return _gcry_rngfips_selftest (report);
   else
-    return gpg_error (GPG_ERR_NOT_SUPPORTED);
+    return 0; /* No selftests yet.  */
 }
 
diff --git a/src/ChangeLog b/src/ChangeLog
index 57cad799..57826a23 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,10 @@
+2008-09-05  Werner Koch  <wk@g10code.com>
+
+	* gcrypt.h.in (GCYRCTL_SELFTEST): New.
+	* global.c (_gcry_vcontrol): Implement.
+	* fips.c (_gcry_fips_run_selftests): Do state transitions only if
+	in fips mode.  Return an error code.
+
 2008-09-01  Werner Koch  <wk@g10code.com>
 
 	* stdmem.c: Re-indented.
diff --git a/src/fips.c b/src/fips.c
index 04b34d87..73a5816a 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -200,8 +200,8 @@ unlock_fsm (void)
 
 /* This function returns true if fips mode is enabled.  This is
    independent of the fips required finite state machine and only used
-   to enable run fips specific code.  Please use the fips_mode macro
-   instead of calling this fucntion directly. */
+   to enable fips specific code.  Please use the fips_mode macro
+   instead of calling this function directly. */
 int
 _gcry_fips_mode (void)
 {
@@ -520,12 +520,14 @@ check_binary_integrity (void)
 
 
 /* Run the self-tests.  */
-void
+gpg_err_code_t
 _gcry_fips_run_selftests (void)
 {
   enum module_states result = STATE_ERROR;
+  gcry_err_code_t ec = GPG_ERR_SELFTEST_FAILED;
   
-  fips_new_state (STATE_SELFTEST);
+  if (fips_mode ())
+    fips_new_state (STATE_SELFTEST);
 
   if (run_cipher_selftests ())
     goto leave;
@@ -549,9 +551,13 @@ _gcry_fips_run_selftests (void)
 
   /* All selftests passed.  */
   result = STATE_OPERATIONAL;
+  ec = 0;
 
  leave:
-  fips_new_state (result);
+  if (fips_mode ())
+    fips_new_state (result);
+
+  return ec;
 }
 
 
diff --git a/src/g10lib.h b/src/g10lib.h
index 98602527..1a7ddffb 100644
--- a/src/g10lib.h
+++ b/src/g10lib.h
@@ -316,7 +316,7 @@ int _gcry_fips_is_operational (void);
 int _gcry_fips_test_operational (void);
 int _gcry_fips_test_error_or_operational (void);
 
-void _gcry_fips_run_selftests (void);
+gpg_err_code_t _gcry_fips_run_selftests (void);
 
 void _gcry_fips_noreturn (void);
 #define fips_noreturn()  (_gcry_fips_noreturn ())
diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in
index 1bf8628a..4d8bcd0a 100644
--- a/src/gcrypt.h.in
+++ b/src/gcrypt.h.in
@@ -408,7 +408,8 @@ enum gcry_ctl_cmds
     GCRYCTL_PRINT_CONFIG = 53,
     GCRYCTL_OPERATIONAL_P = 54,
     GCRYCTL_FIPS_MODE_P = 55,
-    GCRYCTL_FORCE_FIPS_MODE = 56
+    GCRYCTL_FORCE_FIPS_MODE = 56,
+    GCRYCTL_SELFTEST = 57
   };
 
 /* Perform various operations defined by CMD. */
diff --git a/src/global.c b/src/global.c
index 3b32ec61..e664aa7f 100644
--- a/src/global.c
+++ b/src/global.c
@@ -475,6 +475,13 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr)
       }
       break;
 
+    case GCRYCTL_SELFTEST:
+      /* Run a selftest.  This works in fips mode as weel as in
+         standard mode.  Returns 0 on success or an error code. */
+      global_init ();
+      err = _gcry_fips_run_selftests ();
+      break;
+
     default:
       err = GPG_ERR_INV_OP;
     }
diff --git a/tests/basic.c b/tests/basic.c
index aafd41c9..7904b8fe 100644
--- a/tests/basic.c
+++ b/tests/basic.c
@@ -2105,9 +2105,9 @@ main (int argc, char **argv)
   check_hmac ();
   check_pubkey ();
 
-  /* If we are in fips mode do some more tests. */
   if (in_fips_mode)
     {
+      /* If we are in fips mode do some more tests. */
       gcry_md_hd_t md;
 
       /* First trigger a self-test.  */
@@ -2130,6 +2130,8 @@ main (int argc, char **argv)
               /* gcry_md_get_algo is only defined for a context with
                  just one digest algorithm.  With our setup it should
                  put the oibrary intoerror state.  */
+              fputs ("Note: Two lines with error messages follow "
+                     "- this is expected\n", stderr);
               gcry_md_get_algo (md);
               gcry_md_close (md);
               if (gcry_control (GCRYCTL_OPERATIONAL_P, 0))
@@ -2147,7 +2149,11 @@ main (int argc, char **argv)
         }
       
     }
-  
+  else
+    {
+      /* If in standard mode, run selftests.  */
+      gcry_control (GCRYCTL_FORCE_FIPS_MODE, 0);
+    }
 
   if (verbose)
     fprintf (stderr, "\nAll tests completed. Errors: %i\n", error_count);