Dear Davide,
On Thu, Nov 21, 2024 at 1:07 PM Davide Caratti <dcaratti@xxxxxxxxxx> wrote:
hello,
On Wed, Nov 20, 2024 at 12:48 PM Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> wrote:
>
[...]
>> > The idea here was to auto-enable pkcs11-provider when it is installed, which still makes sense to me. The issue here I think is that many people ended up with pkcs11-provider installed because of a recommendation. We should remove that recommendation, most users don’t need pcks11-provider installed.
>>
>> I'm trying a setup right now, to understand what's happening.
>> wpa_supplicant does not need pkcs11-provider *at the moment*, because
>> it uses engine API for pkcs11 (and that is going to be a problem in
>> the future for EAP-TLS with pkcs11, if engine disappears from
>> openssl). However, it loads the legacy provider at startup, because
>> it's needed for MSCHAPv2 in the inner authentication.
>
>
> Do you also load the default provider and/or set default fetching properties?
yes. The problem is in md4_vector() [1], the legacy provider has a
non-NULL pointer and EVP_md4() fetches correctly. However, when
pkcs11-provider is installed,
EVP_DigestInit_ex() fails. I tried this patch [2] on upstream
wpa_supplicant, and it seem to fix at least my local test. The patch
loads the default provider after loading the legacy provider (and
unloads it before exiting), and took inspiration from [3] and [4].
@Dmitry Belyavskiy , does it make sense for you? if so I could submit
it to upstream wpa_supplicant. Or maybe it deserves a test in eduroam
first.
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -188,15 +188,21 @@ static int EC_GROUP_get_curve(const EC_GROUP
*group, BIGNUM *p, BIGNUM *a,
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
static OSSL_PROVIDER *openssl_legacy_provider = NULL;
+static OSSL_PROVIDER *openssl_default_provider = NULL;
+
#endif /* OpenSSL version >= 3.0 */
void openssl_load_legacy_provider(void)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if (openssl_legacy_provider)
- return;
+ goto load_default_provider;
openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL,
"legacy", 1);
+load_default_provider:
+ if (openssl_default_provider)
+ return;
+ openssl_default_provider = OSSL_PROVIDER_try_load(NULL,
"default", 1);
#endif /* OpenSSL version >= 3.0 */
}
@@ -208,6 +214,10 @@ static void openssl_unload_legacy_provider(void)
OSSL_PROVIDER_unload(openssl_legacy_provider);
openssl_legacy_provider = NULL;
}
+ if (openssl_default_provider) {
+ OSSL_PROVIDER_unload(openssl_default_provider);
+ openssl_default_provider = NULL;
+ }
#endif /* OpenSSL version >= 3.0 */
}
thanks,
--
davide
[1] https://w1.fi/cgit/hostap/tree/src/crypto/crypto_openssl.c#n325
[2] https://w1.fi/cgit/hostap/tree/src/crypto/crypto_openssl.c#n293
[3] https://lore.kernel.org/lkml/10c0539a6103f4da2eb19765c83800594ebe2dff.1720728319.git.jstancek@xxxxxxxxxx/
[4] https://docs.openssl.org/3.2/man7/ossl-guide-libcrypto-introduction/#fetching-examples1
Yes, it looks reasonable (but I'm not sure you need to free the providers explicitly, it's up to you).
Dmitry Belyavskiy
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue