https://bugs.kde.org/show_bug.cgi?id=482819
Fabian Vogt <fab...@ritter-vogt.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REPORTED |NEEDSINFO
Resolution|--- |WAITINGFORINFO
--- Comment #27 from Fabian Vogt <fab...@ritter-vogt.de> ---
(In reply to Matt Fagnani from comment #26)
> I switched /etc/pki/tls/openssl.cnf back to the old config and rebooted. I
> closed the wallet and ran killall kwalletd6 twice. I ran ltrace -fCe
> 'DH_*+OSSL_*' kwalletd6 I opened the wallet. I ran protonvpn-app which
> crashed. kwalletd6 crashed after some of the DH functions as shown in the
> output.
>
> ltrace -fCe 'DH_*+OSSL_*' kwalletd6
...
> [pid 3603] libQt6Core.so.6->OSSL_PROVIDER_load(0, 0x7fb30e297499,
> 0x55d4cee99010, 1) = 0x7fb2e8001ff0
> [pid 3682] +++ exited (status 0) +++
> [pid 3603] --- SIGCHLD (Child exited) ---
> [pid 3683] --- Called exec() ---
> [pid 3683] +++ exited (status 0) +++
> [pid 3603] libQt6Core.so.6->OSSL_PROVIDER_unload(0x7fb2e8001ff0,
> 0x55d4cf2530c0, 0xfffffffa, 0x7fb30d9f3b20) = 1
This caught my attention now, I don't get this here. Looking at the code, this
is only in Qt since
https://github.com/qt/qtbase/commit/ddb1c75afe474e399fe9f5f839a9ac3873dee247
and would actually explain what happens.
By default, OpenSSL loads the "DEFAULT" provider, but only if no other provider
was loaded. That disables this logic:
https://www.openssl.org/docs/manmaster/man7/OSSL_PROVIDER-default.html:
> Automatic loading of the default provider only occurs a maximum of once; if
> the default provider is explicitly unloaded then the default provider will
> not be automatically loaded again.
It appears like Fedora backported the linked Qt commit, so Qt itself loads and
unloads the DEFAULT provider.
> [pid 3603] libqca-ossl.so->OSSL_PROVIDER_try_load(0, 0x7fb2f19a10f1, 1,
> 0x7fb30d9f3ac0 <unfinished ...>
> [pid 3603] legacy.so->OSSL_LIB_CTX_new_child(0x55d4cf2504b0, 0x7fb30c89f300,
> 24, 0x55d4cf26ac60) = 0x55d4cf25cfb0
> [pid 3603] <... OSSL_PROVIDER_try_load resumed> ) =
> 0x55d4cf2504b0
> [pid 3603] libqca-ossl.so->DH_new(0x55d4cf205910, 0x55d4cf2059f0,
> 0x55d4cf25a630, 0) = 0x7fb2f400bd30
> [pid 3603] libqca-ossl.so->DH_set0_pqg(0x7fb2f400bd30, 0x55d4cf24a2b0, 0,
> 0x55d4cf24a2d0) = 1
> [pid 3603] libqca-ossl.so->DH_generate_key(0x7fb2f400bd30, 0x7fb30c8511c0,
> 16, 0xb10b8f96a080e01d) = 0
As expected, DH_generate_key fails, causing the returned key to be null.
The Qt behavior also explains why it works with the config in comments 20 and
22, those load the default provider explicitly.
I'll leave a comment on https://bugreports.qt.io/browse/QTBUG-118227. I'm not
sure whether this is the right fix, but this should work:
diff --git a/plugins/qca-ossl/qca-ossl.cpp b/plugins/qca-ossl/qca-ossl.cpp
index f41fcbb5..0176da3b 100644
--- a/plugins/qca-ossl/qca-ossl.cpp
+++ b/plugins/qca-ossl/qca-ossl.cpp
@@ -6637,6 +6637,8 @@ public:
if (OSSL_PROVIDER_try_load(nullptr, "legacy", 1)) {
s_legacyProviderAvailable = true;
}
+ // No idea how to report failure here...
+ OSSL_PROVIDER_try_load(nullptr, "default", 1);
#else
s_legacyProviderAvailable = true;
#endif
--
You are receiving this mail because:
You are watching all bug changes.
