Don't attempt to load conf file if FIPS is loaded

canonical · Sep 13, 2024 · 1107caa · 1107caa
1 parent 48e5519
commit 1107caa
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/src/main/native/c/init.c b/src/main/native/c/init.c
@@ -34,6 +34,14 @@ OSSL_LIB_CTX *global_libctx = NULL;
 
 OSSL_LIB_CTX* load_openssl_provider(const char *name, const char* conf_file_path) {
     OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new();
+
+    if (OSSL_PROVIDER_available(libctx, "fips")) {
+        // The FIPS module has been loaded by default.
+        // The base module should also be loaded and the default model not loaded.
+        // There's nothing more to do. This is the Ubuntu Pro setup.
+        return libctx;
+    }
+
     if (!OSSL_LIB_CTX_load_config(libctx, conf_file_path)) {
         ERR_print_errors_fp(stderr);
     }
@@ -43,7 +51,7 @@ OSSL_LIB_CTX* load_openssl_provider(const char *name, const char* conf_file_path
         fprintf(stderr, "Failed to load the %s provider:\n", name);
         ERR_print_errors_fp(stderr);
     }
-    
+
     return libctx;
 }