From 7a6f5d685590252b8f899ce5c527e2186bd0ae59 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Sat, 27 Nov 2021 10:38:32 +0100
Subject: [PATCH] Load legacy provider when initializing OpenSSL 3.0

See: https://github.com/FreeRDP/FreeRDP/pull/7448

(cherry picked from Fedora commit 03115cf349e3643ddb2881c718043908ad21cf2d)

Resolves: #2023182
Related: #2023262
---
 freerdp.spec                                  |  4 ++
 ...egacy-provider-when-initializing-Ope.patch | 61 +++++++++++++++++++
 2 files changed, 65 insertions(+)
 create mode 100644 winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch

diff --git a/freerdp.spec b/freerdp.spec
index 069cf8e..9910f26 100644
--- a/freerdp.spec
+++ b/freerdp.spec
@@ -34,6 +34,9 @@ Source0:        https://github.com/FreeRDP/FreeRDP/archive/%{version}/FreeRDP-%{
 Patch0:         Fixed-7436-Datatype-mismatch-to-crypto_base64_decode.patch
 Patch1:         Fixed-7436-Datatype-mismatch.patch
 
+# https://github.com/FreeRDP/FreeRDP/pull/7448
+Patch2:         winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch
+
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  alsa-lib-devel
@@ -301,6 +304,7 @@ find %{buildroot} -name "*.a" -delete
 %changelog
 * Fri Nov 26 2021 Ondrej Holy <oholy@redhat.com> - 2:2.4.1-2
 - Fix datatype mismatch / big-endian breakage
+- Load legacy provider when initializing OpenSSL 3.0
 
 * Wed Nov 10 2021 Ondrej Holy <oholy@redhat.com> - 2:2.4.1-1
 - Update to 2.4.1 (CVE-2021-41159, CVE-2021-41160).
diff --git a/winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch b/winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch
new file mode 100644
index 0000000..9f20750
--- /dev/null
+++ b/winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch
@@ -0,0 +1,61 @@
+From 2d0b58759ba823bbc372ac19fea5080f4261c26e Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Tue, 16 Nov 2021 16:12:33 +0100
+Subject: [PATCH] winpr/ssl: Load legacy provider when initializing OpenSSL 3.0
+
+With OpenSSL 3.O, FreeRDP log contains errors like:
+
+```
+4036740A4C7F0000:error:0308010C:digital envelope routines:
+inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:
+Global default library context, Algorithm (MD4 : 85), Properties ()
+```
+
+This leads to connection failures in some cases. This is because algorithms
+like MD4 are now part of the legacy provider, which is not loaded by
+default. Let's explicitly load that provider. With this change, also the
+other provides has to be explicitely loaded.
+---
+ winpr/libwinpr/utils/ssl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c
+index 74ef156e7..392f8e227 100644
+--- a/winpr/libwinpr/utils/ssl.c
++++ b/winpr/libwinpr/utils/ssl.c
+@@ -33,6 +33,10 @@
+ #include <openssl/ssl.h>
+ #include <openssl/err.h>
+ 
++#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
++#include <openssl/provider.h>
++#endif
++
+ #include "../log.h"
+ #define TAG WINPR_TAG("utils.ssl")
+ 
+@@ -245,6 +249,7 @@ static BOOL winpr_enable_fips(DWORD flags)
+ 		WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled");
+ 
+ #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
++		OSSL_PROVIDER_load(NULL, "fips");
+ 		if (!EVP_default_properties_is_fips_enabled(NULL))
+ #else
+ 		if (FIPS_mode() != 1)
+@@ -305,6 +310,13 @@ static BOOL CALLBACK _winpr_openssl_initialize(PINIT_ONCE once, PVOID param, PVO
+ 		return FALSE;
+ 
+ #endif
++
++#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
++	/* The legacy provider is needed for MD4. */
++	OSSL_PROVIDER_load(NULL, "legacy");
++	OSSL_PROVIDER_load(NULL, "default");
++#endif
++
+ 	g_winpr_openssl_initialized_by_winpr = TRUE;
+ 	return winpr_enable_fips(flags);
+ }
+-- 
+2.33.1
+