Remove Init fallback logic and provide CheckVersion instead (#66)

* remove Init fallback logic and provide CheckVersion instead

* do not require GO_OPENSSL_VERSION_OVERRIDE for testing

* remove spurious comment

* ci: avoid running duplicated address sanitizer tests

Author: qmuntal

.github/workflows/test.yml

@@ -40,7 +40,7 @@ jobs:
       run: |
         ok=true
         for t in $(go test ./... -list=. | grep '^Test'); do
-          go test ./... -gcflags=all=-d=checkptr -asan -run $t -v || ok=false
+          go test ./... -gcflags=all=-d=checkptr -asan -run ^$t$ -v || ok=false
         done
         $ok
       env:

openssl/goopenssl.c

@@ -27,6 +27,26 @@ FOR_ALL_OPENSSL_FUNCTIONS
 #undef DEFINEFUNC_RENAMED_1_1
 #undef DEFINEFUNC_RENAMED_3_0
 
+int
+go_openssl_fips_enabled(void* handle)
+{
+    // For OpenSSL 1.x.
+    int (*FIPS_mode)(void);
+    FIPS_mode = (int (*)(void))dlsym(handle, "FIPS_mode");
+    if (FIPS_mode != NULL)
+        return FIPS_mode();
+
+    // For OpenSSL 3.x.
+    int (*EVP_default_properties_is_fips_enabled)(void*);
+    int (*OSSL_PROVIDER_available)(void*, const char*);
+    EVP_default_properties_is_fips_enabled = (int (*)(void*))dlsym(handle, "EVP_default_properties_is_fips_enabled"); 
+    OSSL_PROVIDER_available = (int (*)(void*, const char*))dlsym(handle, "OSSL_PROVIDER_available"); 
+    if (EVP_default_properties_is_fips_enabled != NULL && OSSL_PROVIDER_available != NULL &&
+        EVP_default_properties_is_fips_enabled(NULL) == 1 && OSSL_PROVIDER_available(NULL, "fips") == 1)
+            return 1;
+
+    return 0;
+}
 
 // Load all the functions stored in FOR_ALL_OPENSSL_FUNCTIONS
 // and assign them to their corresponding function pointer

openssl/goopenssl.h

@@ -19,6 +19,7 @@ go_openssl_do_leak_check(void)
 #endif
 }
 
+int go_openssl_fips_enabled(void* handle);
 int go_openssl_version_major(void* handle);
 int go_openssl_version_minor(void* handle);
 int go_openssl_version_patch(void* handle);

openssl/init.go

@@ -11,26 +11,17 @@ import (
 	"unsafe"
 )
 
-// knownVersions is a list of supported and well-known libcrypto.so suffixes in decreasing version order.
-//
-// FreeBSD library version numbering does not directly align to the version of OpenSSL.
-// Its preferred search order is 11 -> 111.
-//
-// Some distributions use 1.0.0 and others (such as Debian) 1.0.2 to refer to the same OpenSSL 1.0.2 version.
-//
-// Fedora derived distros use different naming for the version 1.0.x.
-var knownVersions = [...]string{"3", "1.1", "11", "111", "1.0.2", "1.0.0", "10"}
-
 // opensslInit loads and initialize OpenSSL.
 // If successful, it returns the major and minor OpenSSL version
 // as reported by the OpenSSL API.
 //
 // See Init() for details about version.
 func opensslInit(version string) (major, minor, patch int, err error) {
 	// Load the OpenSSL shared library using dlopen.
-	handle, err := loadLibrary(version)
-	if err != nil {
-		return 0, 0, 0, err
+	handle := dlopen(version)
+	if handle == nil {
+		errstr := C.GoString(C.dlerror())
+		return 0, 0, 0, errors.New("openssl: can't load libcrypto.so." + version + ": " + errstr)
 	}
 
 	// Retrieve the loaded OpenSSL version and check if it is supported.
@@ -80,25 +71,3 @@ func dlopen(version string) unsafe.Pointer {
 	defer C.free(unsafe.Pointer(cv))
 	return C.dlopen(cv, C.RTLD_LAZY|C.RTLD_LOCAL)
 }
-
-func loadLibrary(version string) (unsafe.Pointer, error) {
-	if version != "" {
-		// If version is specified try to load it or error out.
-		handle := dlopen(version)
-		if handle == nil {
-			errstr := C.GoString(C.dlerror())
-			return nil, errors.New("openssl: can't load libcrypto.so." + version + ": " + errstr)
-		}
-		return handle, nil
-	}
-	// If the version is not specified, try loading from the list
-	// of well known versions.
-	for _, v := range knownVersions {
-		handle := dlopen(v)
-		if handle == nil {
-			continue
-		}
-		return handle, nil
-	}
-	return nil, errors.New("openssl: can't load libcrypto.so using any known version suffix")
-}

openssl/openssl.go

@@ -5,6 +5,7 @@
 package openssl
 
 // #include "goopenssl.h"
+// #include <dlfcn.h>
 // #cgo LDFLAGS: -ldl
 import "C"
 import (
@@ -30,17 +31,28 @@ var (
 
 var nativeEndian binary.ByteOrder
 
+// CheckVersion checks if the OpenSSL version can be loaded
+// and if the FIPS mode is enabled.
+// This function can be called before Init.
+func CheckVersion(version string) (exists, fips bool) {
+	handle := dlopen(version)
+	if handle == nil {
+		return false, false
+	}
+	defer C.dlclose(handle)
+	fips = C.go_openssl_fips_enabled(handle) == 1
+	return true, fips
+}
+
 // Init loads and initializes OpenSSL.
-// It must be called before any other OpenSSL call.
+// It must be called before any other OpenSSL call, except CheckVersion.
 //
 // Only the first call to Init is effective,
 // subsequent calls will return the same error result as the one from the first call.
 //
-// If version is not empty, its value will be appended to the OpenSSL shared library name
-// as a version suffix when calling dlopen. For example, `version=1.1.1k-fips`
-// makes Init look for the shared library libcrypto.so.1.1.1k-fips.
-// If version is empty, Init will try to load the OpenSSL shared library
-// using a list of supported and well-known version suffixes, going from higher to lower versions.
+// version will be appended to the OpenSSL shared library name as a version suffix
+// when calling dlopen. For example, `version=1.1.1k-fips` makes Init look for
+// the shared library libcrypto.so.1.1.1k-fips.
 func Init(version string) error {
 	initOnce.Do(func() {
 		buf := [2]byte{}
@@ -75,24 +87,8 @@ func VersionText() string {
 var (
 	providerNameFips    = C.CString("fips")
 	providerNameDefault = C.CString("default")
-	propFipsYes         = C.CString("fips=yes")
-	propFipsNo          = C.CString("fips=no")
-	algProve            = C.CString("SHA2-256")
 )
 
-// providerAvailable looks through provider's digests
-// checking if there is any that matches the props query.
-func providerAvailable(props *C.char) bool {
-	C.go_openssl_ERR_set_mark()
-	defer C.go_openssl_ERR_pop_to_mark()
-	md := C.go_openssl_EVP_MD_fetch(nil, algProve, props)
-	if md == nil {
-		return false
-	}
-	C.go_openssl_EVP_MD_free(md)
-	return true
-}
-
 // FIPS returns true if OpenSSL is running in FIPS mode, else returns false.
 func FIPS() bool {
 	switch vMajor {
@@ -107,54 +103,49 @@ func FIPS() bool {
 		// it is only based on the default properties.
 		// We can be sure that the FIPS provider is available if we can fetch an algorithm, e.g., SHA2-256,
 		// explicitly setting `fips=yes`.
-		return providerAvailable(propFipsYes)
+		return C.go_openssl_OSSL_PROVIDER_available(nil, providerNameFips) == 1
 	default:
 		panic(errUnsupportedVersion())
 	}
 }
 
 // SetFIPS enables or disables FIPS mode.
 //
-// It implements the following provider fallback logic for OpenSSL 3:
-//   - The "fips" provider is loaded if enabled=true and no loaded provider matches "fips=yes".
-//   - The "default" provider is loaded if enabled=false and no loaded provider matches "fips=no".
-//
-// This logic allows advanced users to define their own providers that match "fips=yes" and "fips=no" using the OpenSSL config file.
+// For OpenSSL 3, the `fips` provider is loaded if enabled is true,
+// else the `default` provider is loaded.
 func SetFIPS(enabled bool) error {
+	var mode C.int
+	if enabled {
+		mode = C.int(1)
+	} else {
+		mode = C.int(0)
+	}
 	switch vMajor {
 	case 1:
-		var mode C.int
-		if enabled {
-			mode = C.int(1)
-		} else {
-			mode = C.int(0)
-		}
 		if C.go_openssl_FIPS_mode_set(mode) != 1 {
 			return newOpenSSLError("FIPS_mode_set")
 		}
 		return nil
 	case 3:
-		var props, provName *C.char
+		var provName *C.char
 		if enabled {
-			props = propFipsYes
 			provName = providerNameFips
 		} else {
-			props = propFipsNo
 			provName = providerNameDefault
 		}
 		// Check if there is any provider that matches props.
-		if !providerAvailable(props) {
+		if C.go_openssl_OSSL_PROVIDER_available(nil, provName) != 1 {
 			// If not, fallback to provName provider.
 			if C.go_openssl_OSSL_PROVIDER_load(nil, provName) == nil {
 				return newOpenSSLError("OSSL_PROVIDER_try_load")
 			}
 			// Make sure we now have a provider available.
-			if !providerAvailable(props) {
+			if C.go_openssl_OSSL_PROVIDER_available(nil, provName) != 1 {
 				return fail("SetFIPS(" + strconv.FormatBool(enabled) + ") not supported")
 			}
 		}
-		if C.go_openssl_EVP_set_default_properties(nil, props) != 1 {
-			return newOpenSSLError("EVP_set_default_properties")
+		if C.go_openssl_EVP_default_properties_enable_fips(nil, mode) != 1 {
+			return newOpenSSLError("openssl: EVP_default_properties_enable_fips")
 		}
 		return nil
 	default:

openssl/openssl_test.go

@@ -12,8 +12,26 @@ import (
 	"github.com/golang-fips/openssl-fips/openssl"
 )
 
-func TestMain(m *testing.M) {
+// getVersion returns the OpenSSL version to use for testing.
+func getVersion() string {
 	v := os.Getenv("GO_OPENSSL_VERSION_OVERRIDE")
+	if v != "" {
+		return v
+	}
+	// Try to find a supported version of OpenSSL on the system.
+	// This is useful for local testing, where the user may not
+	// have GO_OPENSSL_VERSION_OVERRIDE set.
+	for _, v = range [...]string{"3", "1.1.1", "1.1", "11", "111", "1.0.2", "1.0.0", "10"} {
+		if ok, _ := openssl.CheckVersion(v); ok {
+			return v
+		}
+	}
+	return ""
+}
+
+func TestMain(m *testing.M) {
+	v := getVersion()
+	fmt.Printf("Using libcrypto.so.%s\n", v)
 	err := openssl.Init(v)
 	if err != nil {
 		// An error here could mean that this Linux distro does not have a supported OpenSSL version
@@ -28,3 +46,14 @@ func TestMain(m *testing.M) {
 	openssl.CheckLeaks()
 	os.Exit(status)
 }
+
+func TestCheckVersion(t *testing.T) {
+	v := getVersion()
+	exists, fips := openssl.CheckVersion(v)
+	if !exists {
+		t.Fatalf("OpenSSL version %q not found", v)
+	}
+	if want := openssl.FIPS(); want != fips {
+		t.Fatalf("FIPS mismatch: want %v, got %v", want, fips)
+	}
+}

openssl/shims.h

@@ -170,7 +170,8 @@ DEFINEFUNC_1_1(int, OPENSSL_init_crypto, (uint64_t ops, const GO_OPENSSL_INIT_SE
 DEFINEFUNC_LEGACY_1(int, FIPS_mode, (void), ()) \
 DEFINEFUNC_LEGACY_1(int, FIPS_mode_set, (int r), (r)) \
 DEFINEFUNC_3_0(int, EVP_default_properties_is_fips_enabled, (GO_OSSL_LIB_CTX_PTR libctx), (libctx)) \
-DEFINEFUNC_3_0(int, EVP_set_default_properties, (GO_OSSL_LIB_CTX_PTR libctx, const char *propq), (libctx, propq)) \
+DEFINEFUNC_3_0(int, EVP_default_properties_enable_fips, (GO_OSSL_LIB_CTX_PTR libctx, int enable), (libctx, enable)) \
+DEFINEFUNC_3_0(int, OSSL_PROVIDER_available, (GO_OSSL_LIB_CTX_PTR libctx, const char *name), (libctx, name)) \
 DEFINEFUNC_3_0(GO_OSSL_PROVIDER_PTR, OSSL_PROVIDER_load, (GO_OSSL_LIB_CTX_PTR libctx, const char *name), (libctx, name)) \
 DEFINEFUNC_3_0(GO_EVP_MD_PTR, EVP_MD_fetch, (GO_OSSL_LIB_CTX_PTR ctx, const char *algorithm, const char *properties), (ctx, algorithm, properties)) \
 DEFINEFUNC_3_0(void, EVP_MD_free, (GO_EVP_MD_PTR md), (md)) \