Ensure that our fips internal provider is always loaded

The fips provider has an internal provider. In some circumstances we
could end up trying to find it, but failing because it hasn't been loaded
yet. We just always ensure it is loaded early to avoid this.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27408)

(cherry picked from commit 6ff4c1d87468fdd18deeebbb01fbf049bd6cec1f)

diff --git a/crypto/provider_core.c b/crypto/provider_core.c
index 490991b5e58ba735dc31f768cf24ce6f222b9d00..9069d4f8dc99411a5a392d2f39fd8751c5cd7fba 100644 (file)
--- a/crypto/provider_core.c
+++ b/crypto/provider_core.c
@@ -1511,6 +1511,16 @@ static int provider_activate_fallbacks(struct provider_store_st *store)
     return ret;
 }
 
+int ossl_provider_activate_fallbacks(OSSL_LIB_CTX *ctx)
+{
+    struct provider_store_st *store = get_provider_store(ctx);
+
+    if (store == NULL)
+        return 0;
+
+    return provider_activate_fallbacks(store);
+}
+
 int ossl_provider_doall_activated(OSSL_LIB_CTX *ctx,
                                   int (*cb)(OSSL_PROVIDER *provider,
                                             void *cbdata),

diff --git a/include/internal/provider.h b/include/internal/provider.h
index 6909a1919c3dd9aecdde7cdeba94963766abf268..7d94346155cc9a0db1114d4d0b5f6ac8963a3f9a 100644 (file)
--- a/include/internal/provider.h
+++ b/include/internal/provider.h
@@ -61,6 +61,9 @@ int ossl_provider_add_to_store(OSSL_PROVIDER *prov, OSSL_PROVIDER **actualprov,
 /* Return pointer to the provider's context */
 void *ossl_provider_ctx(const OSSL_PROVIDER *prov);
 
+/* Force loading of fallback providers if necessary */
+int ossl_provider_activate_fallbacks(OSSL_LIB_CTX *ctx);
+
 /* Iterate over all loaded providers */
 int ossl_provider_doall_activated(OSSL_LIB_CTX *,
                                   int (*cb)(OSSL_PROVIDER *provider,

diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 373cd1c2e4c5beee7ad11fe2bb9cc8bff21f11e2..4b9a0574625d920c9ce1df9db70bb36e4017a717 100644 (file)
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -17,6 +17,7 @@
 #include <openssl/proverr.h>
 #include <openssl/indicator.h>
 #include "internal/cryptlib.h"
+#include "internal/provider.h"
 #include "prov/implementations.h"
 #include "prov/names.h"
 #include "prov/provider_ctx.h"
@@ -886,6 +887,15 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle,
     if (!ossl_thread_register_fips(libctx))
         goto err;
 
+    /*
+     * Ensure our internal provider is loaded. We use this whenever the FIPS
+     * provider internally uses the EVP API. We proactively load this now
+     * rather than waiting for lazy loading to ensure it is always present when
+     * we need it.
+     */
+    if (!ossl_provider_activate_fallbacks(libctx))
+        goto err;
+
     /*
      * We did initial set up of selftest_params in a local copy, because we
      * could not create fgbl until c_CRYPTO_zalloc was defined in the loop