Load legacy provider when initializing OpenSSL 3.0

See: https://github.com/FreeRDP/FreeRDP/pull/7448 (cherry picked from Fedora commit 03115cf349e3643ddb2881c718043908ad21cf2d) Resolves: #2023182 Related: #2023262
2021-11-27 10:38:32 +01:00 · 2021-11-27 10:38:32 +01:00 · 7a6f5d6855
parent d4756790be
commit 7a6f5d6855
2 changed files with 65 additions and 0 deletions
--- a/freerdp.spec
+++ b/freerdp.spec
@ -34,6 +34,9 @@ Source0:        https://github.com/FreeRDP/FreeRDP/archive/%{version}/FreeRDP-%{
 Patch0:         Fixed-7436-Datatype-mismatch-to-crypto_base64_decode.patch
 Patch1:         Fixed-7436-Datatype-mismatch.patch

+# https://github.com/FreeRDP/FreeRDP/pull/7448
+Patch2:         winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch
+
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  alsa-lib-devel
@ -301,6 +304,7 @@ find %{buildroot} -name "*.a" -delete
 %changelog
 * Fri Nov 26 2021 Ondrej Holy <oholy@redhat.com> - 2:2.4.1-2
 - Fix datatype mismatch / big-endian breakage
+- Load legacy provider when initializing OpenSSL 3.0

 * Wed Nov 10 2021 Ondrej Holy <oholy@redhat.com> - 2:2.4.1-1
 - Update to 2.4.1 (CVE-2021-41159, CVE-2021-41160).
--- a/winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch
+++ b/winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch
@ -0,0 +1,61 @@
+From 2d0b58759ba823bbc372ac19fea5080f4261c26e Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Tue, 16 Nov 2021 16:12:33 +0100
+Subject: [PATCH] winpr/ssl: Load legacy provider when initializing OpenSSL 3.0
+
+With OpenSSL 3.O, FreeRDP log contains errors like:
+
+```
+4036740A4C7F0000:error:0308010C:digital envelope routines:
+inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:
+Global default library context, Algorithm (MD4 : 85), Properties ()
+```
+
+This leads to connection failures in some cases. This is because algorithms
+like MD4 are now part of the legacy provider, which is not loaded by
+default. Let's explicitly load that provider. With this change, also the
+other provides has to be explicitely loaded.
+---
+ winpr/libwinpr/utils/ssl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c
+index 74ef156e7..392f8e227 100644
+--- a/winpr/libwinpr/utils/ssl.c
+++ b/winpr/libwinpr/utils/ssl.c
+@@ -33,6 +33,10 @@
+ #include <openssl/ssl.h>
+ #include <openssl/err.h>
+ 
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+#include <openssl/provider.h>
+#endif
+
+ #include "../log.h"
+ #define TAG WINPR_TAG("utils.ssl")
+ 
+@@ -245,6 +249,7 @@ static BOOL winpr_enable_fips(DWORD flags)
+ 		WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled");
+ 
+ #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+		OSSL_PROVIDER_load(NULL, "fips");
+ 		if (!EVP_default_properties_is_fips_enabled(NULL))
+ #else
+ 		if (FIPS_mode() != 1)
+@@ -305,6 +310,13 @@ static BOOL CALLBACK _winpr_openssl_initialize(PINIT_ONCE once, PVOID param, PVO
+ 		return FALSE;
+ 
+ #endif
+
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+	/* The legacy provider is needed for MD4. */
+	OSSL_PROVIDER_load(NULL, "legacy");
+	OSSL_PROVIDER_load(NULL, "default");
+#endif
+
+ 	g_winpr_openssl_initialized_by_winpr = TRUE;
+ 	return winpr_enable_fips(flags);
+ }
+-- 
+2.33.1
+