From: Jouni Malinen <j@w1.fi>
Date: Sat, 1 Mar 2025 18:28:45 +0000 (+0200)
Subject: OpenSSL: Use default provider instead of fips provider for DH group 5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f92c8d8cb211f49645c9295262619d5297e2e1b;p=thirdparty%2Fhostap.git

OpenSSL: Use default provider instead of fips provider for DH group 5

In builds without CONFIG_FIPS=y, use the OpenSSL default provider
instead of the fips provider for DH group 5 operation since that is not
available in the fips provider.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index b4ac2a934..ba87feb61 100644
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -1086,16 +1086,23 @@ err:
 	struct wpabuf *pubkey = NULL, *privkey = NULL;
 	BIGNUM *priv_bn = NULL;
 	EVP_PKEY_CTX *gctx;
+	const char *propquery = NULL;
 
 	*priv = NULL;
 	wpabuf_free(*publ);
 	*publ = NULL;
 
+	if (OSSL_PROVIDER_available(NULL, "fips")) {
+		openssl_disable_fips();
+		openssl_load_default_provider_if_fips();
+		propquery = "provider!=fips";
+	}
+
 	params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
 						     "modp_1536", 0);
 	params[1] = OSSL_PARAM_construct_end();
 
-	gctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
+	gctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", propquery);
 	if (!gctx ||
 	    EVP_PKEY_keygen_init(gctx) != 1 ||
 	    EVP_PKEY_CTX_set_params(gctx, params) != 1 ||