OpenSSL 3.0 hangs on exit with FIPS and badly formatted config file

[tomiii00]

If the FIPS provider is loaded manually and the providers section of the config file contains any lines with name=value where no [value] section exists, OpenSSL hangs on exit().

Section 7.1 of https://wiki.openssl.org/index.php/OpenSSL_3.0 says to put these lines "near the beginning" of the config file:

openssl_conf = openssl_init

.include /usr/local/ssl/fipsmodule.cnf

[openssl_init]
providers = provider_sect

[provider_sect]
fips = fips_sect

If these lines are placed at the very beginning of the config file, the existing default section becomes part of the [provider_sect] section and the existing HOME = . line causes OpenSSL to hang on exit() because there is no [.] section. Likewise, if you were to add foo = bar under [provider_sect] without creating a [bar] section, OpenSSL will hang on exit().

The problem only occurs under certain specific circumstances:

1. A bad config file exists as described above
2. The FIPS provider is loaded manually via OSSL_PROVIDER_load()
3. A digest algorithm is fetched via EVP_get_digestbyname()
4. The algorithm is actually used (e.g. by EVP_DigestInit_ex())

OR

1. A bad config file exists as described above
2. The FIPS provider is loaded manually via OSSL_PROVIDER_load()
3. A digest algorithm is fetched via EVP_MD_fetch() (whether or not it is actually used later)

OR

1. A bad config file exists as described above
2. The FIPS provider is loaded manually via OSSL_PROVIDER_load()
3. The FIPS provider is not unloaded via OSSL_PROVIDER_unload() prior to exit().

The first two scenarios above cause OpenSSL to hang whether or not the FIPS provider is manually unloaded prior to exit().

[mspncp]

Note: this issue is a spinoff from thread OpenSSL 3.0 hangs at exit with FIPS provider on openssl-users, continued by [SOLVED] Re: OpenSSL 3.0 hangs at exit with FIPS provider

[richsalz]

i believe the Wiki docs are outdated, and that https://www.openssl.org/docs/manmaster/man5/config.html and https://www.openssl.org/docs/manmaster/man5/fips_config.html are more accurate. In particular, there is really no reason for the FIPS config part to be "near the beginning" of the file.

[mattcaswell]

The bit that needs to be near the beginning is:

openssl_conf = openssl_init

The rest probably doesn't

[mattcaswell]

This issue now seems to be fixed. I was able to reproduce this problem on a checkout from around the time that this issue was raised. However I am unable to do so on latest master. Therefore I'm closing this.