Dear Davide,
On Thu, Nov 21, 2024 at 1:07 PM Davide Caratti <dcara...@redhat.com> wrote:
> hello,
>
> On Wed, Nov 20, 2024 at 12:48 PM Dmitry Belyavskiy <dbely...@redhat.com>
> wrote:
> >
>
> [...]
> >> > The idea here was to auto-enable pkcs11-provider when it is
> installed, which still makes sense to me. The issue here I think is that
> many people ended up with pkcs11-provider installed because of a
> recommendation. We should remove that recommendation, most users don’t need
> pcks11-provider installed.
> >>
> >> I'm trying a setup right now, to understand what's happening.
> >> wpa_supplicant does not need pkcs11-provider *at the moment*, because
> >> it uses engine API for pkcs11 (and that is going to be a problem in
> >> the future for EAP-TLS with pkcs11, if engine disappears from
> >> openssl). However, it loads the legacy provider at startup, because
> >> it's needed for MSCHAPv2 in the inner authentication.
> >
> >
> > Do you also load the default provider and/or set default fetching
> properties?
>
> yes. The problem is in md4_vector() [1], the legacy provider has a
> non-NULL pointer and EVP_md4() fetches correctly. However, when
> pkcs11-provider is installed,
> EVP_DigestInit_ex() fails. I tried this patch [2] on upstream
> wpa_supplicant, and it seem to fix at least my local test. The patch
> loads the default provider after loading the legacy provider (and
> unloads it before exiting), and took inspiration from [3] and [4].
>
> @Dmitry Belyavskiy , does it make sense for you? if so I could submit
> it to upstream wpa_supplicant. Or maybe it deserves a test in eduroam
> first.
>
> --- a/src/crypto/crypto_openssl.c
> +++ b/src/crypto/crypto_openssl.c
> @@ -188,15 +188,21 @@ static int EC_GROUP_get_curve(const EC_GROUP
> *group, BIGNUM *p, BIGNUM *a,
>
> #if OPENSSL_VERSION_NUMBER >= 0x30000000L
> static OSSL_PROVIDER *openssl_legacy_provider = NULL;
> +static OSSL_PROVIDER *openssl_default_provider = NULL;
> +
> #endif /* OpenSSL version >= 3.0 */
>
> void openssl_load_legacy_provider(void)
> {
> #if OPENSSL_VERSION_NUMBER >= 0x30000000L
> if (openssl_legacy_provider)
> - return;
> + goto load_default_provider;
>
> openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL,
> "legacy", 1);
> +load_default_provider:
> + if (openssl_default_provider)
> + return;
> + openssl_default_provider = OSSL_PROVIDER_try_load(NULL,
> "default", 1);
> #endif /* OpenSSL version >= 3.0 */
> }
>
> @@ -208,6 +214,10 @@ static void openssl_unload_legacy_provider(void)
> OSSL_PROVIDER_unload(openssl_legacy_provider);
> openssl_legacy_provider = NULL;
> }
> + if (openssl_default_provider) {
> + OSSL_PROVIDER_unload(openssl_default_provider);
> + openssl_default_provider = NULL;
> + }
> #endif /* OpenSSL version >= 3.0 */
> }
>
> thanks,
> --
> davide
>
> [1] https://w1.fi/cgit/hostap/tree/src/crypto/crypto_openssl.c#n325
> [2] https://w1.fi/cgit/hostap/tree/src/crypto/crypto_openssl.c#n293
> [3]
> https://lore.kernel.org/lkml/10c0539a6103f4da2eb19765c83800594ebe2dff.1720728319.git.jstan...@redhat.com/
> [4]
> https://docs.openssl.org/3.2/man7/ossl-guide-libcrypto-introduction/#fetching-examples1
Yes, it looks reasonable (but I'm not sure you need to free the providers
explicitly, it's up to you).
--
Dmitry Belyavskiy
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
