Disable Dual EC DRBG.

[openssl.git] / crypto / rand / rand_lib.c

diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index 476a0cd187ee7629526042e5de5728e6277a4b7c..5ac0e14caf00bd36539b5180985117bd2f94b8fd 100644 (file)
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -269,6 +269,14 @@ int RAND_init_fips(void)
        DRBG_CTX *dctx;
        size_t plen;
        unsigned char pers[32], *p;
+#ifndef OPENSSL_ALLOW_DUAL_EC_DRBG
+       if (fips_drbg_type >> 16)
+               {
+               RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_DUAL_EC_DRBG_DISABLED);
+               return 0;
+               }
+#endif
+               
        dctx = FIPS_get_default_drbg();
         if (FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0)
                {