Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl 3.0 - how to enable legacy provider? #60

Closed
Leseratte10 opened this issue May 1, 2022 · 3 comments
Closed

openssl 3.0 - how to enable legacy provider? #60

Leseratte10 opened this issue May 1, 2022 · 3 comments

Comments

@Leseratte10
Copy link
Contributor

I updated my project to use oscrypto 1.3.0 to support Ubuntu 22.04 with Openssl 3, but I'm running into an issue.

If I'm reading the commit message of 5ae0e79 correctly, then oscrypto should support the legacy mode of openssl. However, my application fails when calling parse_pkcs12, and raises an exception in rc2_cbc_pkcs5_decrypt with the message "OpenSSL has been compiled without RC2 support".

Is there anything I can do from within Python / with oscrypto to get around that and have it still use RC2, or can I somehow enable this RC2 support in OpenSSL?

I believe applications do need to actively request this legacy provider, does oscrypto do that?

Looking at this code in _libcrypto.py:

# This enables legacy algorithms in OpenSSL 3.0, such as RC2, etc
# which are used by various tests and some old protocols and things
# like PKCS12
libcrypto_legacy_support = True
if libcrypto_version_info >= (3, ):
    if libcrypto.OSSL_PROVIDER_available(null(), "legacy".encode("ascii")):
        libcrypto.OSSL_PROVIDER_load(null(), "legacy".encode("ascii"))
    else:
        libcrypto_legacy_support = False

this might already be implemented if I'm reading this correctly, but why doesn't it work then?
Can I somehow test if Ubuntu 22.04 actually ships completely without this legacy module?
@Leseratte10 Leseratte10 mentioned this issue May 1, 2022
Closed
@Leseratte10
Copy link
Contributor Author

Okay, just added some debug prints and apparently OSSL_PROVIDER _available(null(), "legacy") is returning False / 0, so the legacy provider might actually be disabled on Ubuntu 22.04 ... damnit.

@Leseratte10
Copy link
Contributor Author

Leseratte10 commented May 2, 2022
edited
Loading

Figured out two things:

A) OSSL_PROVIDER_available might be broken on Ubuntu 22.04, as it returns 0 even though the legacy module is actually available.

B) According to OpenSSL documentation, as soon as you load a provider, it will no longer auto-load the default providers, so you'd need to first load the "legacy", then the "default" provider.

Maybe the code can be modded so it doesn't use the "available" function at all and just tries to load the legacy module and sees if it works?

@Leseratte10
Copy link
Contributor Author

Sorry for the "comment spam": Looks like OSSL_PROVIDER_available does not indicate whether a provider can loaded, but rather whether it is currently loaded.

So instead of first checking for availability, you need to try and load it immediately, then afterwards check if it's available. I'll be creating a PR.

@Leseratte10 Leseratte10 mentioned this issue May 3, 2022
Merged
Leseratte10 added a commit to Leseratte10/oscrypto that referenced this issue May 3, 2022
@Leseratte10
Fix legacy crypto support for OpenSSL 3 (closes wbond#60)
ea9fcb8
@wbond wbond closed this as completed in 93a49a2 Sep 30, 2022
@mwelsch mwelsch mentioned this issue Oct 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Leseratte10