Load legacy provider when initializing OpenSSL 3.0

See: https://github.com/FreeRDP/FreeRDP/pull/7448
This commit is contained in:
Ondrej Holy 2021-11-27 10:38:32 +01:00
parent 3e17678387
commit 03115cf349
2 changed files with 65 additions and 0 deletions

View File

@ -34,6 +34,9 @@ Source0: https://github.com/FreeRDP/FreeRDP/archive/%{version}/FreeRDP-%{
Patch0: Fixed-7436-Datatype-mismatch-to-crypto_base64_decode.patch
Patch1: Fixed-7436-Datatype-mismatch.patch
# https://github.com/FreeRDP/FreeRDP/pull/7448
Patch2: winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: alsa-lib-devel
@ -301,6 +304,7 @@ find %{buildroot} -name "*.a" -delete
%changelog
* Fri Nov 26 2021 Ondrej Holy <oholy@redhat.com> - 2:2.4.1-2
- Fix datatype mismatch / big-endian breakage
- Load legacy provider when initializing OpenSSL 3.0
* Wed Nov 10 2021 Ondrej Holy <oholy@redhat.com> - 2:2.4.1-1
- Update to 2.4.1 (CVE-2021-41159, CVE-2021-41160).

View File

@ -0,0 +1,61 @@
From 2d0b58759ba823bbc372ac19fea5080f4261c26e Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Tue, 16 Nov 2021 16:12:33 +0100
Subject: [PATCH] winpr/ssl: Load legacy provider when initializing OpenSSL 3.0
With OpenSSL 3.O, FreeRDP log contains errors like:
```
4036740A4C7F0000:error:0308010C:digital envelope routines:
inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:
Global default library context, Algorithm (MD4 : 85), Properties ()
```
This leads to connection failures in some cases. This is because algorithms
like MD4 are now part of the legacy provider, which is not loaded by
default. Let's explicitly load that provider. With this change, also the
other provides has to be explicitely loaded.
---
winpr/libwinpr/utils/ssl.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c
index 74ef156e7..392f8e227 100644
--- a/winpr/libwinpr/utils/ssl.c
+++ b/winpr/libwinpr/utils/ssl.c
@@ -33,6 +33,10 @@
#include <openssl/ssl.h>
#include <openssl/err.h>
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+#include <openssl/provider.h>
+#endif
+
#include "../log.h"
#define TAG WINPR_TAG("utils.ssl")
@@ -245,6 +249,7 @@ static BOOL winpr_enable_fips(DWORD flags)
WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled");
#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+ OSSL_PROVIDER_load(NULL, "fips");
if (!EVP_default_properties_is_fips_enabled(NULL))
#else
if (FIPS_mode() != 1)
@@ -305,6 +310,13 @@ static BOOL CALLBACK _winpr_openssl_initialize(PINIT_ONCE once, PVOID param, PVO
return FALSE;
#endif
+
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+ /* The legacy provider is needed for MD4. */
+ OSSL_PROVIDER_load(NULL, "legacy");
+ OSSL_PROVIDER_load(NULL, "default");
+#endif
+
g_winpr_openssl_initialized_by_winpr = TRUE;
return winpr_enable_fips(flags);
}
--
2.33.1