From 49cb5e0b408d24fbd2fe197a18be64068cac1277 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Tue, 12 Apr 2011 14:28:06 +0000
Subject: [PATCH] Fix memory leaks: uninstantiate DRBG during health checks.
 Cleanup md_ctx when performing ECDSA selftest.

---
 crypto/fips_err.h                |  1 +
 fips/ecdsa/fips_ecdsa_selftest.c |  2 ++
 fips/fips.h                      |  1 +
 fips/rand/fips_drbg_selftest.c   | 15 +++++++++++++++
 4 files changed, 19 insertions(+)

diff --git a/crypto/fips_err.h b/crypto/fips_err.h
index 9c235080ac..9a824c7306 100644
--- a/crypto/fips_err.h
+++ b/crypto/fips_err.h
@@ -157,6 +157,7 @@ static ERR_STRING_DATA FIPS_str_reasons[]=
 {ERR_REASON(FIPS_R_SELFTEST_FAILURE)     ,"selftest failure"},
 {ERR_REASON(FIPS_R_STRENGTH_ERROR_UNDETECTED),"strength error undetected"},
 {ERR_REASON(FIPS_R_TEST_FAILURE)         ,"test failure"},
+{ERR_REASON(FIPS_R_UNINSTANTIATE_ERROR)  ,"uninstantiate error"},
 {ERR_REASON(FIPS_R_UNINSTANTIATE_ZEROISE_ERROR),"uninstantiate zeroise error"},
 {ERR_REASON(FIPS_R_UNSUPPORTED_DRBG_TYPE),"unsupported drbg type"},
 {ERR_REASON(FIPS_R_UNSUPPORTED_PLATFORM) ,"unsupported platform"},
diff --git a/fips/ecdsa/fips_ecdsa_selftest.c b/fips/ecdsa/fips_ecdsa_selftest.c
index 722ae673bc..7f7ddda603 100644
--- a/fips/ecdsa/fips_ecdsa_selftest.c
+++ b/fips/ecdsa/fips_ecdsa_selftest.c
@@ -151,6 +151,8 @@ int FIPS_selftest_ecdsa()
 
 	err:
 
+	FIPS_md_ctx_cleanup(&mctx);
+
 	if (x)
 		BN_clear_free(x);
 	if (y)
diff --git a/fips/fips.h b/fips/fips.h
index 92f61a89a8..0481983f78 100644
--- a/fips/fips.h
+++ b/fips/fips.h
@@ -280,6 +280,7 @@ void ERR_load_FIPS_strings(void);
 #define FIPS_R_SELFTEST_FAILURE				 135
 #define FIPS_R_STRENGTH_ERROR_UNDETECTED		 136
 #define FIPS_R_TEST_FAILURE				 137
+#define FIPS_R_UNINSTANTIATE_ERROR			 141
 #define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR		 138
 #define FIPS_R_UNSUPPORTED_DRBG_TYPE			 139
 #define FIPS_R_UNSUPPORTED_PLATFORM			 140
diff --git a/fips/rand/fips_drbg_selftest.c b/fips/rand/fips_drbg_selftest.c
index d1f9dd118b..496ea73481 100644
--- a/fips/rand/fips_drbg_selftest.c
+++ b/fips/rand/fips_drbg_selftest.c
@@ -859,6 +859,13 @@ static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
 		goto err;
 		}
 
+	dctx->flags &= ~DRBG_FLAG_NOERR;
+	if (!FIPS_drbg_uninstantiate(dctx))
+		{
+		FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+		goto err;
+		}
+
 	/* Instantiate with valid data. NB: errors now reported again */
 	if (!FIPS_drbg_init(dctx, td->nid, td->flags))
 		goto err;
@@ -911,6 +918,14 @@ static int fips_drbg_health_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
 		goto err;
 		}
 		
+	dctx->flags &= ~DRBG_FLAG_NOERR;
+
+	if (!FIPS_drbg_uninstantiate(dctx))
+		{
+		FIPSerr(FIPS_F_FIPS_DRBG_HEALTH_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+		goto err;
+		}
+
 
 	/* Instantiate again with valid data */
 
-- 
2.25.1