From 0f92c8d8cb211f49645c9295262619d5297e2e1b Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 1 Mar 2025 20:28:45 +0200
Subject: [PATCH] OpenSSL: Use default provider instead of fips provider for DH
 group 5

In builds without CONFIG_FIPS=y, use the OpenSSL default provider
instead of the fips provider for DH group 5 operation since that is not
available in the fips provider.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/crypto/crypto_openssl.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index b4ac2a934..ba87feb61 100644
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -1086,16 +1086,23 @@ err:
 	struct wpabuf *pubkey = NULL, *privkey = NULL;
 	BIGNUM *priv_bn = NULL;
 	EVP_PKEY_CTX *gctx;
+	const char *propquery = NULL;
 
 	*priv = NULL;
 	wpabuf_free(*publ);
 	*publ = NULL;
 
+	if (OSSL_PROVIDER_available(NULL, "fips")) {
+		openssl_disable_fips();
+		openssl_load_default_provider_if_fips();
+		propquery = "provider!=fips";
+	}
+
 	params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
 						     "modp_1536", 0);
 	params[1] = OSSL_PARAM_construct_end();
 
-	gctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
+	gctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", propquery);
 	if (!gctx ||
 	    EVP_PKEY_keygen_init(gctx) != 1 ||
 	    EVP_PKEY_CTX_set_params(gctx, params) != 1 ||
-- 
2.47.2