From 49936a7ba6dfbee61acb04288530a44c04d47114 Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Mon, 25 Feb 2019 10:37:30 +0100
Subject: [PATCH] Fixed #5276: Enable SSL before parsing assistance file.

The assistance file requires primitives from the ssl wrapper.
Enable these before parsing the file.
Additionally split the FIPS mode enablement from the one time
initializer to avoid ignoring that flag.
---
 libfreerdp/common/assistance.c |  2 ++
 winpr/libwinpr/utils/ssl.c     | 53 ++++++++++++++++++++--------------
 2 files changed, 34 insertions(+), 21 deletions(-)

diff --git a/libfreerdp/common/assistance.c b/libfreerdp/common/assistance.c
index 41c6c477b..3432a0547 100644
--- a/libfreerdp/common/assistance.c
+++ b/libfreerdp/common/assistance.c
@@ -28,6 +28,7 @@
 #include <winpr/crypto.h>
 #include <winpr/print.h>
 #include <winpr/windows.h>
+#include <winpr/ssl.h>
 
 #include <freerdp/log.h>
 #include <freerdp/client/file.h>
@@ -1223,6 +1224,7 @@ BOOL freerdp_assistance_populate_settings_from_assistance_file(rdpAssistanceFile
 
 rdpAssistanceFile* freerdp_assistance_file_new(void)
 {
+	winpr_InitializeSSL(WINPR_SSL_INIT_DEFAULT);
 	return (rdpAssistanceFile*) calloc(1, sizeof(rdpAssistanceFile));
 }
 
diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c
index ad6f77c6d..1880ea898 100644
--- a/winpr/libwinpr/utils/ssl.c
+++ b/winpr/libwinpr/utils/ssl.c
@@ -237,6 +237,32 @@ static BOOL _winpr_openssl_cleanup_locking(void)
 
 #endif /* OpenSSL < 1.1.0 */
 
+static BOOL winpr_enable_fips(DWORD flags)
+{
+	if (flags & WINPR_SSL_INIT_ENABLE_FIPS)
+	{
+#if (OPENSSL_VERSION_NUMBER < 0x10001000L) || defined(LIBRESSL_VERSION_NUMBER)
+		WLog_ERR(TAG, "Openssl fips mode not available on openssl versions less than 1.0.1!");
+		return FALSE;
+#else
+		WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled");
+
+		if (FIPS_mode() != 1)
+		{
+			if (FIPS_mode_set(1))
+				WLog_INFO(TAG, "Openssl fips mode ENabled!");
+			else
+			{
+				WLog_ERR(TAG, "Openssl fips mode ENable failed!");
+				return FALSE;
+			}
+		}
+
+#endif
+	}
+
+	return TRUE;
+}
 
 static BOOL CALLBACK _winpr_openssl_initialize(PINIT_ONCE once, PVOID param, PVOID* context)
 {
@@ -276,26 +302,7 @@ static BOOL CALLBACK _winpr_openssl_initialize(PINIT_ONCE once, PVOID param, PVO
 
 #endif
 	g_winpr_openssl_initialized_by_winpr = TRUE;
-
-	if (flags & WINPR_SSL_INIT_ENABLE_FIPS)
-	{
-#if (OPENSSL_VERSION_NUMBER < 0x10001000L) || defined(LIBRESSL_VERSION_NUMBER)
-		WLog_ERR(TAG, "Openssl fips mode ENable not available on openssl versions less than 1.0.1!");
-#else
-		WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled");
-
-		if (FIPS_mode() != 1)
-		{
-			if (FIPS_mode_set(1))
-				WLog_INFO(TAG, "Openssl fips mode ENabled!");
-			else
-				WLog_ERR(TAG, "Openssl fips mode ENable failed!");
-		}
-
-#endif
-	}
-
-	return TRUE;
+	return winpr_enable_fips(flags);
 }
 
 
@@ -304,7 +311,11 @@ static BOOL CALLBACK _winpr_openssl_initialize(PINIT_ONCE once, PVOID param, PVO
 BOOL winpr_InitializeSSL(DWORD flags)
 {
 	static INIT_ONCE once = INIT_ONCE_STATIC_INIT;
-	return InitOnceExecuteOnce(&once, _winpr_openssl_initialize, &flags, NULL);
+
+	if (!InitOnceExecuteOnce(&once, _winpr_openssl_initialize, &flags, NULL))
+		return FALSE;
+
+	return winpr_enable_fips(flags);
 }
 
 BOOL winpr_CleanupSSL(DWORD flags)