diff options
| author | Matt Caswell <matt@openssl.org> | 2021-07-27 16:59:59 +0100 |
|---|---|---|
| committer | Pauli <pauli@openssl.org> | 2021-07-28 10:35:06 +1000 |
| commit | 589fbc18aa5e72b2574a71d69c09b4f63f0ae943 (patch) | |
| tree | f25795d777c85c8c0afaa78960824fbbebd578b3 | |
| parent | 123ed334337e874acb1f55b36dc671de7e306824 (diff) | |
Don't try and load the config file while already loading the config file
Calls to the API function EVP_default_properties_enable_fips() will
automatically attempt to load the default config file if it is not
already loaded. Therefore this function should not be called from inside
code to process the config file.
Fixes #16165
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16168)
| -rw-r--r-- | crypto/evp/evp_cnf.c | 4 | ||||
| -rw-r--r-- | crypto/evp/evp_fetch.c | 17 | ||||
| -rw-r--r-- | include/crypto/evp.h | 2 |
3 files changed, 16 insertions, 7 deletions
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c index 415712dffa..0e7fe64cf9 100644 --- a/crypto/evp/evp_cnf.c +++ b/crypto/evp/evp_cnf.c @@ -46,8 +46,8 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf) * fips_mode is deprecated and should not be used in new * configurations. */ - if (!EVP_default_properties_enable_fips(NCONF_get0_libctx((CONF *)cnf), - m > 0)) { + if (!evp_default_properties_enable_fips_int( + NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) { ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE); return 0; } diff --git a/crypto/evp/evp_fetch.c b/crypto/evp/evp_fetch.c index 3067928030..5303cf8859 100644 --- a/crypto/evp/evp_fetch.c +++ b/crypto/evp/evp_fetch.c @@ -479,15 +479,16 @@ int EVP_set_default_properties(OSSL_LIB_CTX *libctx, const char *propq) return evp_set_default_properties_int(libctx, propq, 1, 0); } -static int evp_default_properties_merge(OSSL_LIB_CTX *libctx, const char *propq) +static int evp_default_properties_merge(OSSL_LIB_CTX *libctx, const char *propq, + int loadconfig) { - OSSL_PROPERTY_LIST **plp = ossl_ctx_global_properties(libctx, 1); + OSSL_PROPERTY_LIST **plp = ossl_ctx_global_properties(libctx, loadconfig); OSSL_PROPERTY_LIST *pl1, *pl2; if (propq == NULL) return 1; if (plp == NULL || *plp == NULL) - return EVP_set_default_properties(libctx, propq); + return evp_set_default_properties_int(libctx, propq, 0, 0); if ((pl1 = ossl_parse_query(libctx, propq, 1)) == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_DEFAULT_QUERY_PARSE_ERROR); return 0; @@ -518,11 +519,17 @@ int EVP_default_properties_is_fips_enabled(OSSL_LIB_CTX *libctx) return evp_default_property_is_enabled(libctx, "fips"); } -int EVP_default_properties_enable_fips(OSSL_LIB_CTX *libctx, int enable) +int evp_default_properties_enable_fips_int(OSSL_LIB_CTX *libctx, int enable, + int loadconfig) { const char *query = (enable != 0) ? "fips=yes" : "-fips"; - return evp_default_properties_merge(libctx, query); + return evp_default_properties_merge(libctx, query, loadconfig); +} + +int EVP_default_properties_enable_fips(OSSL_LIB_CTX *libctx, int enable) +{ + return evp_default_properties_enable_fips_int(libctx, enable, 1); } char *evp_get_global_properties_str(OSSL_LIB_CTX *libctx, int loadconfig) diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 68aab33cae..41ac80ed9d 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -891,6 +891,8 @@ int evp_pkey_ctx_use_cached_data(EVP_PKEY_CTX *ctx); # endif /* !defined(FIPS_MODULE) */ int evp_method_store_flush(OSSL_LIB_CTX *libctx); +int evp_default_properties_enable_fips_int(OSSL_LIB_CTX *libctx, int enable, + int loadconfig); int evp_set_default_properties_int(OSSL_LIB_CTX *libctx, const char *propq, int loadconfig, int mirrored); char *evp_get_global_properties_str(OSSL_LIB_CTX *libctx, int loadconfig); |