openssl 3.0.0 legacy provider won't lload via config file

Kory Hamzeh kory at avatarci.com
Mon Sep 13 23:13:31 UTC 2021 

I have cross-compiled OpenSSL 3.0.0 for the ARMv7. So far, everything seems to be working fine, except for the fact that I cannot get OpenSSL to load the legacy module when I configure /ssl/openssl.cnf as such. I can, however, load the module explicitly at run time.

This is a diff of my config file against a stock openssl.cnf.dist:

--- openssl.cnf.dist	2021-09-13 10:04:16.287697686 -0700
+++ openssl.cnf	2021-09-13 10:27:23.595752186 -0700
@@ -56,6 +56,7 @@
 # List of providers to load
 [provider_sect]
 default = default_sect
+legacy = legacy_sect
 # The fips section name should match the section name inside the
 # included fipsmodule.cnf.
 # fips = fips_sect
@@ -69,8 +70,10 @@
 # OpenSSL may not work correctly which could lead to significant system
 # problems including inability to remotely access the system.
 [default_sect]
-# activate = 1
+activate = 1
 
+[legacy_sect]
+activate = 1
 
You’ll notice the only changes I made was to activate the default module, define a legacy section and activate it also.

This is the code snippet that gets called from main():

#ifdef LOAD_PROVIDER
       OSSL_PROVIDER *legacy;
   
       legacy = OSSL_PROVIDER_load(NULL, "legacy");
       if (legacy == NULL) {
           printf("Failed to load Legacy provider\n");
           exit(EXIT_FAILURE);
       }
#endif
#ifdef CALL_CRYPTO_INIT
       if (!OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
	   {
	       printf("Error: crypto_init failed\n");
	       exit(1);
	   }
#endif

  if(!(e = EVP_CIPHER_CTX_new())) {
    printf("Could not create EVP instance\n");
    return -1;
  }

  if((ret = EVP_DecryptInit_ex(e, EVP_des_ecb(), NULL, key, NULL)) != 1) {
    printf("DecryptInit failed\n");
    return -1;    
  }

The EVP_DecryptInit_ex() fails if I compile without -DLOAD_PROVIDER. The other flag, CRYPTO_INIT does not make any difference. What is puzzling is that I can build OpenSSL natively on an x86_64 machine and using the same openssl.cnf file, the code above works and the legacy module loads without the code to explicitly load it.

Any thoughts on what I may have done wrong or how to track this down?

Thanks,
Kory

More information about the openssl-users mailing list