I have cross-compiled OpenSSL 3.0.0 for the ARMv7. So far, everything seems to be working fine, except for the fact that I cannot get OpenSSL to load the legacy module when I configure /ssl/openssl.cnf as such. I can, however, load the module explicitly at run time.
This is a diff of my config file against a stock openssl.cnf.dist:
--- openssl.cnf.dist 2021-09-13 10:04:16.287697686 -0700
+++ openssl.cnf 2021-09-13 10:27:23.595752186 -0700
@@ -56,6 +56,7 @@
# List of providers to load
[provider_sect]
default = default_sect
+legacy = legacy_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect
@@ -69,8 +70,10 @@
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
-# activate = 1
+activate = 1
+[legacy_sect]
+activate = 1
You’ll notice the only changes I made was to activate the default module, define a legacy section and activate it also.
This is the code snippet that gets called from main():
#ifdef LOAD_PROVIDER
OSSL_PROVIDER *legacy;
legacy = OSSL_PROVIDER_load(NULL, "legacy");
if (legacy == NULL) {
printf("Failed to load Legacy provider\n");
exit(EXIT_FAILURE);
}
#endif
#ifdef CALL_CRYPTO_INIT
if (!OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
{
printf("Error: crypto_init failed\n");
exit(1);
}
#endif
if(!(e = EVP_CIPHER_CTX_new())) {
printf("Could not create EVP instance\n");
return -1;
}
if((ret = EVP_DecryptInit_ex(e, EVP_des_ecb(), NULL, key, NULL)) != 1) {
printf("DecryptInit failed\n");
return -1;
}
The EVP_DecryptInit_ex() fails if I compile without -DLOAD_PROVIDER. The other flag, CRYPTO_INIT does not make any difference. What is puzzling is that I can build OpenSSL natively on an x86_64 machine and using the same openssl.cnf file, the code above works and the legacy module loads without the code to explicitly load it.
Any thoughts on what I may have done wrong or how to track this down?
Thanks,
Kory
