OpenSSL: Fix FIPS mode enabling in dynamic interface case

FIPS_mode_set(1) cannot be called multiple times which could happen in
some dynamic interface cases. Avoid this by enabling FIPS mode only
once. There is no code in wpa_supplicant to disable FIPS mode, so once
it is enabled, it will remain enabled.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index de163965e4726b5f2a229b8ccd327d700d55cf48..fcc5c7fed8604d23c7e84507bb7c9fcf7941210c 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -757,7 +757,9 @@ void * tls_init(const struct tls_config *conf)
 #ifdef CONFIG_FIPS
 #ifdef OPENSSL_FIPS
                if (conf && conf->fips_mode) {
-                       if (!FIPS_mode_set(1)) {
+                       static int fips_enabled = 0;
+
+                       if (!fips_enabled && !FIPS_mode_set(1)) {
                                wpa_printf(MSG_ERROR, "Failed to enable FIPS "
                                           "mode");
                                ERR_load_crypto_strings();
@@ -765,8 +767,10 @@ void * tls_init(const struct tls_config *conf)
                                os_free(tls_global);
                                tls_global = NULL;
                                return NULL;
-                       } else
+                       } else {
                                wpa_printf(MSG_INFO, "Running in FIPS mode");
+                               fips_enabled = 1;
+                       }
                }
 #else /* OPENSSL_FIPS */
                if (conf && conf->fips_mode) {