Ensure that our fips internal provider is always loaded

The fips provider has an internal provider. In some circumstances we
could end up trying to find it, but failing because it hasn't been loaded
yet. We just always ensure it is loaded early to avoid this.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27408)

diff --git a/crypto/provider_core.c b/crypto/provider_core.c
index 490991b5e58ba735dc31f768cf24ce6f222b9d00..9069d4f8dc99411a5a392d2f39fd8751c5cd7fba 100644 (file)
--- a/crypto/provider_core.c
+++ b/crypto/provider_core.c
@@ -1511,6 +1511,16 @@ static int provider_activate_fallbacks(struct provider_store_st *store)
     return ret;
 }
 
+int ossl_provider_activate_fallbacks(OSSL_LIB_CTX *ctx)
+{
+    struct provider_store_st *store = get_provider_store(ctx);
+
+    if (store == NULL)
+        return 0;
+
+    return provider_activate_fallbacks(store);
+}
+
 int ossl_provider_doall_activated(OSSL_LIB_CTX *ctx,
                                   int (*cb)(OSSL_PROVIDER *provider,
                                             void *cbdata),

diff --git a/include/internal/provider.h b/include/internal/provider.h
index 6909a1919c3dd9aecdde7cdeba94963766abf268..7d94346155cc9a0db1114d4d0b5f6ac8963a3f9a 100644 (file)
--- a/include/internal/provider.h
+++ b/include/internal/provider.h
@@ -61,6 +61,9 @@ int ossl_provider_add_to_store(OSSL_PROVIDER *prov, OSSL_PROVIDER **actualprov,
 /* Return pointer to the provider's context */
 void *ossl_provider_ctx(const OSSL_PROVIDER *prov);
 
+/* Force loading of fallback providers if necessary */
+int ossl_provider_activate_fallbacks(OSSL_LIB_CTX *ctx);
+
 /* Iterate over all loaded providers */
 int ossl_provider_doall_activated(OSSL_LIB_CTX *,
                                   int (*cb)(OSSL_PROVIDER *provider,

diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 21032b9ba2e0fcefd643d849cd34e07cbfc3ad45..5f9745ce5ad47b4c270e9a7f7bcbae777bd08516 100644 (file)
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -17,6 +17,7 @@
 #include <openssl/proverr.h>
 #include <openssl/indicator.h>
 #include "internal/cryptlib.h"
+#include "internal/provider.h"
 #include "prov/implementations.h"
 #include "prov/names.h"
 #include "prov/provider_ctx.h"
@@ -904,6 +905,15 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle,
     if (!ossl_thread_register_fips(libctx))
         goto err;
 
+    /*
+     * Ensure our internal provider is loaded. We use this whenever the FIPS
+     * provider internally uses the EVP API. We proactively load this now
+     * rather than waiting for lazy loading to ensure it is always present when
+     * we need it.
+     */
+    if (!ossl_provider_activate_fallbacks(libctx))
+        goto err;
+
     /*
      * We did initial set up of selftest_params in a local copy, because we
      * could not create fgbl until c_CRYPTO_zalloc was defined in the loop