Note that mbedtls_ctr_drbg_seed() must not be called twice

gilles-peskine-arm · gilles-peskine-arm · commit 07ebf5714f66 · 2019-10-28T17:33:07.000+01:00
You can't reuse a CTR_DRBG context without free()ing it. This
generally happened to work, but was never guaranteed. It could have
failed with alternative implementations of the AES module because
mbedtls_ctr_drbg_seed() calls mbedtls_aes_init() on a context which is
already initialized if mbedtls_ctr_drbg_seed() hasn't been called
before, plausibly causing a memory leak. Since the addition of
mbedtls_ctr_drbg_set_nonce_len(), the second call to
mbedtls_ctr_drbg_seed() uses a nonsensical value as the entropy nonce
length.
diff --git a/include/mbedtls/ctr_drbg.h b/include/mbedtls/ctr_drbg.h
@@ -278,6 +278,12 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx );
  *                      (maximum achievable strength when using AES-256).
  *
  * \param ctx           The CTR_DRBG context to seed.
+ *                      It must have been initialized with
+ *                      mbedtls_ctr_drbg_init().
+ *                      After a successful call to mbedtls_ctr_drbg_seed(),
+ *                      you may not call mbedtls_ctr_drbg_seed() again on
+ *                      the same context unless you call
+ *                      mbedtls_ctr_drbg_free() first.
  * \param f_entropy     The entropy callback, taking as arguments the
  *                      \p p_entropy context, the buffer to fill, and the
  *                      length of the buffer.
