From: Pauli <paul.dale@oracle.com>
Date: Mon, 7 Sep 2020 02:50:57 +0000 (+1000)
Subject: rand: add FIPS error state handling
X-Git-Tag: openssl-3.0.0-alpha7~287
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=aef30ad0b6811fd6ef1232ec67d24a77c17831ba;p=thirdparty%2Fopenssl.git

rand: add FIPS error state handling

Check for provider being runnable in instantiate, reseed, generate and new calls.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
---

diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
index a4a9b177a30..5d364b1a21d 100644
--- a/providers/implementations/rands/drbg.c
+++ b/providers/implementations/rands/drbg.c
@@ -20,6 +20,7 @@
 #include "prov/rand_pool.h"
 #include "prov/provider_ctx.h"
 #include "prov/providercommonerr.h"
+#include "prov/providercommon.h"
 
 /*
  * Support framework for NIST SP 800-90A DRBG
@@ -397,6 +398,9 @@ int PROV_DRBG_instantiate(PROV_DRBG *drbg, unsigned int strength,
     size_t noncelen = 0, entropylen = 0;
     size_t min_entropy, min_entropylen, max_entropylen;
 
+    if (!ossl_prov_is_running())
+        return 0;
+
     if (strength > drbg->strength) {
         PROVerr(0, PROV_R_INSUFFICIENT_DRBG_STRENGTH);
         goto end;
@@ -536,6 +540,9 @@ int PROV_DRBG_reseed(PROV_DRBG *drbg, int prediction_resistance,
     unsigned char *entropy = NULL;
     size_t entropylen = 0;
 
+    if (!ossl_prov_is_running())
+        return 0;
+
     if (drbg->state != EVP_RAND_STATE_READY) {
         /* try to recover from previous errors */
         rand_drbg_restart(drbg);
@@ -647,6 +654,9 @@ int PROV_DRBG_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
     int fork_id;
     int reseed_required = 0;
 
+    if (!ossl_prov_is_running())
+        return 0;
+
     if (drbg->state != EVP_RAND_STATE_READY) {
         /* try to recover from previous errors */
         rand_drbg_restart(drbg);
@@ -810,10 +820,14 @@ PROV_DRBG *prov_rand_drbg_new
      int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen,
                      const unsigned char *adin, size_t adin_len))
 {
-    PROV_DRBG *drbg = OPENSSL_zalloc(sizeof(*drbg));
+    PROV_DRBG *drbg;
     unsigned int p_str;
     const OSSL_DISPATCH *pfunc;
 
+    if (!ossl_prov_is_running())
+        return NULL;
+
+    drbg = OPENSSL_zalloc(sizeof(*drbg));
     if (drbg == NULL) {
         ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
         return NULL;