Re: pkcs11-provider update breaks eduroam

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear Davide,

On Thu, Nov 21, 2024 at 1:07 PM Davide Caratti <dcaratti@xxxxxxxxxx> wrote:
hello,

On Wed, Nov 20, 2024 at 12:48 PM Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> wrote:
>

[...]
>> > The idea here was to auto-enable pkcs11-provider when it is installed, which still makes sense to me. The issue here I think is that many people ended up with pkcs11-provider installed because of a recommendation. We should remove that recommendation, most users don’t need pcks11-provider installed.
>>
>> I'm trying a setup right now, to understand what's happening.
>> wpa_supplicant does not need pkcs11-provider *at the moment*, because
>> it uses engine API for pkcs11 (and that is going to be a problem in
>> the future for EAP-TLS with pkcs11, if engine disappears from
>> openssl). However, it loads the legacy provider at startup, because
>> it's needed for MSCHAPv2 in the inner authentication.
>
>
> Do you also load the default provider and/or set default fetching properties?

yes. The problem is in md4_vector() [1], the legacy provider has a
non-NULL pointer and EVP_md4() fetches correctly. However, when
pkcs11-provider is installed,
EVP_DigestInit_ex() fails. I tried this patch [2] on upstream
wpa_supplicant, and it seem to fix at least my local test. The patch
loads the default provider after loading the legacy provider (and
unloads it before exiting), and took inspiration from [3] and [4].

@Dmitry Belyavskiy  , does it make sense for you? if so I could submit
it to upstream wpa_supplicant. Or maybe it deserves a test in eduroam
first.

--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -188,15 +188,21 @@ static int EC_GROUP_get_curve(const EC_GROUP
*group, BIGNUM *p, BIGNUM *a,

 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 static OSSL_PROVIDER *openssl_legacy_provider = NULL;
+static OSSL_PROVIDER *openssl_default_provider = NULL;
+
 #endif /* OpenSSL version >= 3.0 */

 void openssl_load_legacy_provider(void)
 {
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
        if (openssl_legacy_provider)
-               return;
+               goto load_default_provider;

        openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL,
"legacy", 1);
+load_default_provider:
+       if (openssl_default_provider)
+               return;
+       openssl_default_provider = OSSL_PROVIDER_try_load(NULL,
"default", 1);
 #endif /* OpenSSL version >= 3.0 */
 }

@@ -208,6 +214,10 @@ static void openssl_unload_legacy_provider(void)
                OSSL_PROVIDER_unload(openssl_legacy_provider);
                openssl_legacy_provider = NULL;
        }
+       if (openssl_default_provider) {
+               OSSL_PROVIDER_unload(openssl_default_provider);
+               openssl_default_provider = NULL;
+       }
 #endif /* OpenSSL version >= 3.0 */
 }

thanks,
--
davide

[1] https://w1.fi/cgit/hostap/tree/src/crypto/crypto_openssl.c#n325
[2] https://w1.fi/cgit/hostap/tree/src/crypto/crypto_openssl.c#n293
[3] https://lore.kernel.org/lkml/10c0539a6103f4da2eb19765c83800594ebe2dff.1720728319.git.jstancek@xxxxxxxxxx/
[4] https://docs.openssl.org/3.2/man7/ossl-guide-libcrypto-introduction/#fetching-examples1
 
Yes, it looks reasonable (but I'm not sure you need to free the providers explicitly, it's up to you).

--
Dmitry Belyavskiy
-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux