CORE: Attach the provider context to the provider late

There are concerns that if |prov->provctx| is populated early,
sensitive information may leak from the provider.  Therefore, we use a
temporary variable, and only assign it to |prov->provctx| when the
provider init function has returned successfully.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11777)

diff --git a/crypto/provider_core.c b/crypto/provider_core.c
index b100e5a15d542b9fa568ad9bb005a9126e26beb2..1cbe3697542ce5e0a851c6d7f3c4ddf2293aafb0 100644 (file)
--- a/crypto/provider_core.c
+++ b/crypto/provider_core.c
@@ -418,6 +418,7 @@ int OSSL_PROVIDER_set_default_search_path(OPENSSL_CTX *libctx, const char *path)
 static int provider_activate(OSSL_PROVIDER *prov)
 {
     const OSSL_DISPATCH *provider_dispatch = NULL;
+    void *tmp_provctx = NULL;    /* safety measure */
 #ifndef OPENSSL_NO_ERR
 # ifndef FIPS_MODULE
     OSSL_provider_get_reason_strings_fn *p_get_reason_strings = NULL;
@@ -488,7 +489,7 @@ static int provider_activate(OSSL_PROVIDER *prov)
     /* Call the initialise function for the provider. */
     if (prov->init_function == NULL
         || !prov->init_function(prov, core_dispatch, &provider_dispatch,
-                                &prov->provctx)) {
+                                &tmp_provctx)) {
         ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_INIT_FAIL, NULL,
                        "name=%s", prov->name);
 #ifndef FIPS_MODULE
@@ -497,6 +498,7 @@ static int provider_activate(OSSL_PROVIDER *prov)
 #endif
         return 0;
     }
+    prov->provctx = tmp_provctx;
 
     for (; provider_dispatch->function_id != 0; provider_dispatch++) {
         switch (provider_dispatch->function_id) {