From 05a607526eeada80516fe0fe7290a7aae8e70c67 Mon Sep 17 00:00:00 2001
From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
Date: Wed, 11 Oct 2023 04:10:50 +0200
Subject: [PATCH] fragattacks: enable MS-CHAPv2 with OpenSSL >=3.0

This patch re-enables the usage of MS-CHAPv2 when linking with OpenSSL
version 3.0 or higher.
---
 README.md                   |  3 +++
 src/crypto/crypto_openssl.c | 15 +++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/README.md b/README.md
index b6cce4052..d949ffe6f 100644
--- a/README.md
+++ b/README.md
@@ -1126,6 +1126,9 @@ For example see the above two tables with commands.
 
 **Version 1.3.4 (under progress):**:
 
+- Updated wpa_supplicant to re-enable connecting to Enterprise networks that use MS-CHAPv2. Previously, when
+  the OS uses OpenSSL 3.0 or higher, MD4 was disabled by default, meaning MS-CHAPv2 could not be used.
+
 - Added the `--pre-test-delay` parameter. This adds a delay between getting an IP address and the transmission
   of the first fragments/frames. See the [pull request](https://github.com/vanhoefm/fragattacks/pull/44) by
   Michael Trimarchi and Angelo Compagnucci.
diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index 72f93c192..4a54ab0e5 100644
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -90,6 +90,20 @@ static EC_KEY * EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
 
 #endif /* OpenSSL version < 1.1.0 */
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+static OSSL_PROVIDER *openssl_legacy_provider = NULL;
+#endif /* OpenSSL version >= 3.0 */
+
+void openssl_load_legacy_provider(void)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	if (openssl_legacy_provider)
+		return;
+
+	openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL, "legacy", 1);
+#endif /* OpenSSL version >= 3.0 */
+}
+
 static BIGNUM * get_group5_prime(void)
 {
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
@@ -196,6 +210,7 @@ static int openssl_digest_vector(const EVP_MD *type, size_t num_elem,
 #ifndef CONFIG_FIPS
 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
 {
+	openssl_load_legacy_provider();
 	return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac);
 }
 #endif /* CONFIG_FIPS */