OpenSSL: Fix FIPS mode enabling in dynamic interface case

FIPS_mode_set(1) cannot be called multiple times which could happen in
some dynamic interface cases. Avoid this by enabling FIPS mode only
once. There is no code in wpa_supplicant to disable FIPS mode, so once
it is enabled, it will remain enabled.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-08-01 22:39:21 +03:00
parent 38934ed100
commit 4fc53159b9

View File

@ -757,7 +757,9 @@ void * tls_init(const struct tls_config *conf)
#ifdef CONFIG_FIPS #ifdef CONFIG_FIPS
#ifdef OPENSSL_FIPS #ifdef OPENSSL_FIPS
if (conf && conf->fips_mode) { if (conf && conf->fips_mode) {
if (!FIPS_mode_set(1)) { static int fips_enabled = 0;
if (!fips_enabled && !FIPS_mode_set(1)) {
wpa_printf(MSG_ERROR, "Failed to enable FIPS " wpa_printf(MSG_ERROR, "Failed to enable FIPS "
"mode"); "mode");
ERR_load_crypto_strings(); ERR_load_crypto_strings();
@ -765,8 +767,10 @@ void * tls_init(const struct tls_config *conf)
os_free(tls_global); os_free(tls_global);
tls_global = NULL; tls_global = NULL;
return NULL; return NULL;
} else } else {
wpa_printf(MSG_INFO, "Running in FIPS mode"); wpa_printf(MSG_INFO, "Running in FIPS mode");
fips_enabled = 1;
}
} }
#else /* OPENSSL_FIPS */ #else /* OPENSSL_FIPS */
if (conf && conf->fips_mode) { if (conf && conf->fips_mode) {