hello, On Wed, Nov 20, 2024 at 12:48 PM Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> wrote: > [...] >> > The idea here was to auto-enable pkcs11-provider when it is installed, which still makes sense to me. The issue here I think is that many people ended up with pkcs11-provider installed because of a recommendation. We should remove that recommendation, most users don’t need pcks11-provider installed. >> >> I'm trying a setup right now, to understand what's happening. >> wpa_supplicant does not need pkcs11-provider *at the moment*, because >> it uses engine API for pkcs11 (and that is going to be a problem in >> the future for EAP-TLS with pkcs11, if engine disappears from >> openssl). However, it loads the legacy provider at startup, because >> it's needed for MSCHAPv2 in the inner authentication. > > > Do you also load the default provider and/or set default fetching properties? yes. The problem is in md4_vector() [1], the legacy provider has a non-NULL pointer and EVP_md4() fetches correctly. However, when pkcs11-provider is installed, EVP_DigestInit_ex() fails. I tried this patch [2] on upstream wpa_supplicant, and it seem to fix at least my local test. The patch loads the default provider after loading the legacy provider (and unloads it before exiting), and took inspiration from [3] and [4]. @Dmitry Belyavskiy , does it make sense for you? if so I could submit it to upstream wpa_supplicant. Or maybe it deserves a test in eduroam first. --- a/src/crypto/crypto_openssl.c +++ b/src/crypto/crypto_openssl.c @@ -188,15 +188,21 @@ static int EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, #if OPENSSL_VERSION_NUMBER >= 0x30000000L static OSSL_PROVIDER *openssl_legacy_provider = NULL; +static OSSL_PROVIDER *openssl_default_provider = NULL; + #endif /* OpenSSL version >= 3.0 */ void openssl_load_legacy_provider(void) { #if OPENSSL_VERSION_NUMBER >= 0x30000000L if (openssl_legacy_provider) - return; + goto load_default_provider; openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL, "legacy", 1); +load_default_provider: + if (openssl_default_provider) + return; + openssl_default_provider = OSSL_PROVIDER_try_load(NULL, "default", 1); #endif /* OpenSSL version >= 3.0 */ } @@ -208,6 +214,10 @@ static void openssl_unload_legacy_provider(void) OSSL_PROVIDER_unload(openssl_legacy_provider); openssl_legacy_provider = NULL; } + if (openssl_default_provider) { + OSSL_PROVIDER_unload(openssl_default_provider); + openssl_default_provider = NULL; + } #endif /* OpenSSL version >= 3.0 */ } thanks, -- davide [1] https://w1.fi/cgit/hostap/tree/src/crypto/crypto_openssl.c#n325 [2] https://w1.fi/cgit/hostap/tree/src/crypto/crypto_openssl.c#n293 [3] https://lore.kernel.org/lkml/10c0539a6103f4da2eb19765c83800594ebe2dff.1720728319.git.jstancek@xxxxxxxxxx/ [4] https://docs.openssl.org/3.2/man7/ossl-guide-libcrypto-introduction/#fetching-examples1 -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue