Another iteration of the attempt to address this is available:
in libopensc/ctx.c, sc_openssl3_init:
EVP_set_default_properties(ctx->ossl3ctx->libctx, "fips=yes");
ctx->ossl3ctx->defprov = OSSL_PROVIDER_load(ctx->ossl3ctx->libctx,
"default");
EVP_set_default_properties(ctx->ossl3ctx->libctx, NULL);
Setting the "fips=yes" property seems to make the default provider
behave as expected.
I believe this may be related to this commit in FIPS openssl [1]. Perhaps
opensc does something that trigger the behavior the commit message mentiones:
"If applications load providers via a configuration either because the default
configuration is modified or they override the default configuration, this
disables loading of the fallback providers. In this case, the configuration
must load the FIPS provider when FIPS mode is enabled, else algorithm fetches
will fail"
[1]
https://git.launchpad.net/ubuntu/+source/openssl/tree/debian/patches/fips/crypto-
Automatically-use-the-FIPS-provider-when-the-kerne.patch?h=ubuntu/noble-
devel
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2127205
Title:
pkcs11-tool is sending null sha-1 digest to Openssl on FIPS enabled
ubuntu 24.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/opensc/+bug/2127205/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
