Check for uninitialised DRBG_CTX and don't free up default DRBG_CTX.

diff --git a/fips/rand/fips_drbg_lib.c b/fips/rand/fips_drbg_lib.c
index 39c007f6bbbf16d70f489ce5fdbfe2cd30b06351..32e4b83c5e9f7cdcb83fbc44436b3412dd7e0633 100644 (file)
--- a/fips/rand/fips_drbg_lib.c
+++ b/fips/rand/fips_drbg_lib.c
@@ -135,8 +135,18 @@ void FIPS_drbg_free(DRBG_CTX *dctx)
        {
        if (dctx->uninstantiate)
                dctx->uninstantiate(dctx);
-       OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
-       OPENSSL_free(dctx);
+       /* Don't free up default DRBG */
+       if (dctx == FIPS_get_default_drbg())
+               {
+               memset(dctx, 0, sizeof(DRBG_CTX));
+               dctx->type = 0;
+               dctx->status = DRBG_STATUS_UNINITIALISED;
+               }
+       else
+               {
+               OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
+               OPENSSL_free(dctx);
+               }
        }
 
 static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
@@ -194,6 +204,7 @@ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
        FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
        FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
        FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
+       FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED);
 #endif
 
        int r = 0;
@@ -204,6 +215,12 @@ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
                goto end;
                }
 
+       if (!dctx->instantiate)
+               {
+               r = FIPS_R_DRBG_NOT_INITIALISED;
+               goto end;
+               }
+
        if (dctx->status != DRBG_STATUS_UNINITIALISED)
                {
                if (dctx->status == DRBG_STATUS_ERROR)