diff options
| author | Matt Caswell <matt@openssl.org> | 2019-05-21 16:25:24 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2019-05-23 11:02:19 +0100 |
| commit | b1eb3fd732adc9afaae730426f48bbfec17694d1 (patch) | |
| tree | 3936608802083ab1c8ecf653c6496fb2cbc6dc40 /crypto/provider_core.c | |
| parent | 16da72a824eddebb7d85297bea868be3a6f43c0e (diff) | |
Add more commentary about recursive Provider intialisation in the FIPS module
In addition this commit ensures that the "provctx" value is defaulted to the current
library context when we are recurively initialising the FIPS provider when already inside
the FIPS module.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8728)
Diffstat (limited to 'crypto/provider_core.c')
| -rw-r--r-- | crypto/provider_core.c | 30 |
1 files changed, 26 insertions, 4 deletions
diff --git a/crypto/provider_core.c b/crypto/provider_core.c index 36692b6ce4..d17ff93e16 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -340,9 +340,11 @@ static const OSSL_DISPATCH *core_dispatch; /* Define further down */ /* * Internal version that doesn't affect the store flags, and thereby avoid * locking. Direct callers must remember to set the store flags when - * appropriate + * appropriate. The libctx parameter is only necessary when FIPS_MODE is set + * (i.e. we are being called from inside the FIPS module) - it is ignored for + * other uses. */ -static int provider_activate(OSSL_PROVIDER *prov) +static int provider_activate(OSSL_PROVIDER *prov, OPENSSL_CTX *libctx) { const OSSL_DISPATCH *provider_dispatch = NULL; @@ -397,6 +399,26 @@ static int provider_activate(OSSL_PROVIDER *prov) #endif } + /* + * We call the initialise function for the provider. + * + * If FIPS_MODE is defined then we are inside the FIPS module and are about + * to recursively initialise ourselves. We need to do this so that we can + * get all the provider callback functions set up in order for us to be able + * to make EVP calls from within the FIPS module itself. Only algorithms + * from the FIPS module itself are available via the FIPS module EVP + * interface, i.e. we only ever have one provider available inside the FIPS + * module - the FIPS provider itself. + * + * For modules in general we cannot know what value will be used for the + * provctx - it is a "black box". But for the FIPS module we know that the + * provctx is really a library context. We default the provctx value to the + * same library context as was used for the EVP call that caused this call + * to "provider_activate". + */ +#ifdef FIPS_MODE + prov->provctx = libctx; +#endif if (prov->init_function == NULL || !prov->init_function(prov, core_dispatch, &provider_dispatch, &prov->provctx)) { @@ -438,7 +460,7 @@ static int provider_activate(OSSL_PROVIDER *prov) int ossl_provider_activate(OSSL_PROVIDER *prov) { - if (provider_activate(prov)) { + if (provider_activate(prov, NULL)) { CRYPTO_THREAD_write_lock(prov->store->lock); prov->store->use_fallbacks = 0; CRYPTO_THREAD_unlock(prov->store->lock); @@ -515,7 +537,7 @@ int ossl_provider_forall_loaded(OPENSSL_CTX *ctx, */ if (prov->flag_fallback) { activated_fallback_count++; - provider_activate(prov); + provider_activate(prov, ctx); } } |