Check for uninitialised DRBG_CTX and don't free up default DRBG_CTX.

openssl · Oct 21, 2011 · af4bfa1 · af4bfa1
1 parent 3b59304
commit af4bfa1
Showing 1 changed file with 19 additions and 2 deletions.
diff --git a/fips/rand/fips_drbg_lib.c b/fips/rand/fips_drbg_lib.c
@@ -135,8 +135,18 @@ void FIPS_drbg_free(DRBG_CTX *dctx)
 	{
 	if (dctx->uninstantiate)
 		dctx->uninstantiate(dctx);
-	OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
-	OPENSSL_free(dctx);
+	/* Don't free up default DRBG */
+	if (dctx == FIPS_get_default_drbg())
+		{
+		memset(dctx, 0, sizeof(DRBG_CTX));
+		dctx->type = 0;
+		dctx->status = DRBG_STATUS_UNINITIALISED;
+		}
+	else
+		{
+		OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
+		OPENSSL_free(dctx);
+		}
 	}
 
 static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
@@ -194,6 +204,7 @@ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
 	FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
 	FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
 	FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
+	FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED);
 #endif
 
 	int r = 0;
@@ -204,6 +215,12 @@ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
 		goto end;
 		}
 
+	if (!dctx->instantiate)
+		{
+		r = FIPS_R_DRBG_NOT_INITIALISED;
+		goto end;
+		}
+
 	if (dctx->status != DRBG_STATUS_UNINITIALISED)
 		{
 		if (dctx->status == DRBG_STATUS_ERROR)