From: Matt Caswell <matt@openssl.org>
Date: Wed, 16 Apr 2025 11:20:10 +0000 (+0100)
Subject: Ensure that our fips internal provider is always loaded
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6ff4c1d87468fdd18deeebbb01fbf049bd6cec1f;p=thirdparty%2Fopenssl.git

Ensure that our fips internal provider is always loaded

The fips provider has an internal provider. In some circumstances we
could end up trying to find it, but failing because it hasn't been loaded
yet. We just always ensure it is loaded early to avoid this.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27408)
---

diff --git a/crypto/provider_core.c b/crypto/provider_core.c
index 490991b5e58..9069d4f8dc9 100644
--- a/crypto/provider_core.c
+++ b/crypto/provider_core.c
@@ -1511,6 +1511,16 @@ static int provider_activate_fallbacks(struct provider_store_st *store)
     return ret;
 }
 
+int ossl_provider_activate_fallbacks(OSSL_LIB_CTX *ctx)
+{
+    struct provider_store_st *store = get_provider_store(ctx);
+
+    if (store == NULL)
+        return 0;
+
+    return provider_activate_fallbacks(store);
+}
+
 int ossl_provider_doall_activated(OSSL_LIB_CTX *ctx,
                                   int (*cb)(OSSL_PROVIDER *provider,
                                             void *cbdata),
diff --git a/include/internal/provider.h b/include/internal/provider.h
index 6909a1919c3..7d94346155c 100644
--- a/include/internal/provider.h
+++ b/include/internal/provider.h
@@ -61,6 +61,9 @@ int ossl_provider_add_to_store(OSSL_PROVIDER *prov, OSSL_PROVIDER **actualprov,
 /* Return pointer to the provider's context */
 void *ossl_provider_ctx(const OSSL_PROVIDER *prov);
 
+/* Force loading of fallback providers if necessary */
+int ossl_provider_activate_fallbacks(OSSL_LIB_CTX *ctx);
+
 /* Iterate over all loaded providers */
 int ossl_provider_doall_activated(OSSL_LIB_CTX *,
                                   int (*cb)(OSSL_PROVIDER *provider,
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 21032b9ba2e..5f9745ce5ad 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -17,6 +17,7 @@
 #include <openssl/proverr.h>
 #include <openssl/indicator.h>
 #include "internal/cryptlib.h"
+#include "internal/provider.h"
 #include "prov/implementations.h"
 #include "prov/names.h"
 #include "prov/provider_ctx.h"
@@ -904,6 +905,15 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle,
     if (!ossl_thread_register_fips(libctx))
         goto err;
 
+    /*
+     * Ensure our internal provider is loaded. We use this whenever the FIPS
+     * provider internally uses the EVP API. We proactively load this now
+     * rather than waiting for lazy loading to ensure it is always present when
+     * we need it.
+     */
+    if (!ossl_provider_activate_fallbacks(libctx))
+        goto err;
+
     /*
      * We did initial set up of selftest_params in a local copy, because we
      * could not create fgbl until c_CRYPTO_zalloc was defined in the loop