global: Load configuration after FIPS POST

Previously, if the loaded configuration file disabled an algorithm
tested during FIPS-140 power-on self-tests, the test would fail.  By
loading the configuration file after the test is finished, such failure
is avoided as any algorithm is allowed during the tests.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

diff --git a/lib/global.c b/lib/global.c
index b42fcb2632659390501346c9ee64c11cd7098d4a..9a65d114cc8c68f165c307514e406744343a3e89 100644 (file)
--- a/lib/global.c
+++ b/lib/global.c
@@ -368,7 +368,6 @@ static int _gnutls_global_init(unsigned constructor)
 
        _gnutls_register_accel_crypto();
        _gnutls_cryptodev_init();
-       _gnutls_load_system_priorities();
 
 #ifdef ENABLE_FIPS140
        /* These self tests are performed on the overridden algorithms
@@ -385,6 +384,7 @@ static int _gnutls_global_init(unsigned constructor)
                _gnutls_fips_mode_reset_zombie();
        }
 #endif
+       _gnutls_load_system_priorities();
        _gnutls_switch_lib_state(LIB_STATE_OPERATIONAL);
        ret = 0;