Bug 1101246

Summary:	openssl: pkg-config enginesdir returns wrong directory, breaks openssl_tpm_engine
Product:	[openSUSE] openSUSE Distribution	Reporter:	James Bottomley <jejbniq>
Component:	Security	Assignee:	Vítězslav Čížek <vcizek>
Status:	RESOLVED FIXED	QA Contact:	E-mail List <qa-bugs>
Severity:	Normal
Priority:	P5 - None	CC:	vcizek
Version:	Leap 42.3
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	Do a manual test for the engines directory instead of using pkgconfig

Description James Bottomley 2018-07-14 21:52:41 UTC

Created attachment 776975 [details]
Do a manual test for the engines directory instead of using pkgconfig

This recent patch:

Author: Matthias Gerstner <matthias.gerstner@suse.de>
Date:   Mon Dec 4 17:54:12 2017 +0100

    autotools: make engine plugin installation pkg-config aware and configurable

is causing the engines directory for libtpm.so to be wrong. The fault looks to be in libcrypto.pc because

jejb@jarvis:~/git/linux> pkg-config --variable=enginesdir libcrypto
/usr/lib64/engines

but if you do
jejb@jarvis:~/git/linux> rpm -ql libopenssl1_0_0|grep engines
/lib64/engines
/lib64/engines/libgost.so
/lib64/engines/libpadlock.so

So the engines are in /lib64 not /usr/lib64.

I fixed this with the attached patch to configure.in (it basically asks openssl config to find the engines directory rather than relying on pkg-config)

Comment 1 Matthias Gerstner 2018-07-16 08:59:56 UTC

Thank you for the report.

Your put this into the version category for Leap 42.3. But 42.3 does not
contain this patch. So is this regarding Leap 15.0 or Tumbleweed instead?

Comment 2 Matthias Gerstner 2018-07-16 09:08:33 UTC

So just to get your problem right: The openssl_tpm_engine is installed in the
correct directory along with the standard openssl engines. But you want to
evaluate the enginesdir returned by pkg-config and it is this path that gives
you issues, yes?

Comment 3 James Bottomley 2018-07-16 22:09:48 UTC

(In reply to Matthias Gerstner from comment #1)
> Thank you for the report.
> 
> Your put this into the version category for Leap 42.3. But 42.3 does not
> contain this patch. So is this regarding Leap 15.0 or Tumbleweed instead?

I build the latest openssl_tpm_engine for Leap_42.3:

https://build.opensuse.org/package/show/home:jejb1:Tumbleweed/openssl_tpm_engine

So I noticed it on Leap_42.3 (and the pkg-config mismatch must be in the Leap_32.3 openssl) but it's building the security/openssl_tpm_engine package

Comment 4 James Bottomley 2018-07-16 22:11:39 UTC

(In reply to Matthias Gerstner from comment #2)
> So just to get your problem right: The openssl_tpm_engine is installed in the
> correct directory along with the standard openssl engines. But you want to
> evaluate the enginesdir returned by pkg-config and it is this path that gives
> you issues, yes?

No, it's installed in the wrong directory.  On the Leap_42.3 version the engines are in /lib64/engines, but when you build this package it tries to install the engine in /usr/lib64/engines, which doesn't even exist as a directory and which openssl doesn't check when enabling engines.

Comment 5 Matthias Gerstner 2018-07-17 10:13:53 UTC

Oh, so you are building openssl_tpm_engine in your home project for Leap 42.3
and applied that patch from the devel project. I was looking at the stock Leap
42.3 openssl_tpm_engine which installs correctly.

I don't think it makes sense to patch this in openssl_tpm_engine. The
libopenssl-devel package should be fixed to ship a correct pkg-config file.
It only affects the old distros, however. In current SUSE with OpenSSL 1.1 the
engines dir changed and is correct.

Since you seem to be working on openssl_tpm_engine to work against OpenSSL
1.1: I did the same a while ago and currently maintain a fork, since upstream
seems to be dead: https://github.com/mgerstner/openssl_tpm_engine

Comment 6 Matthias Gerstner 2018-07-17 10:48:56 UTC

Assigning to the openssl maintainer.

Can you shed some light on this? openssl-devel from the SLE-12-SP2 codestream
reports:

$ pkg-config --variable=enginesdir libcrypto
/usr/lib64/engines

But the engines are actually installed in /lib64/engines. This breaks
third-party engines that use pkg-config to determine the openssl engine
directory.

Comment 7 Vítězslav Čížek 2018-07-17 11:05:54 UTC

Yes, that needs to be fixed.

(Also reported recently by Marcus in bug 997043 comment 15)

Comment 8 James Bottomley 2018-07-17 14:54:10 UTC

(In reply to Matthias Gerstner from comment #5)
> Oh, so you are building openssl_tpm_engine in your home project for Leap 42.3
> and applied that patch from the devel project. I was looking at the stock
> Leap 42.3 openssl_tpm_engine which installs correctly.
> 
> I don't think it makes sense to patch this in openssl_tpm_engine. The
> libopenssl-devel package should be fixed to ship a correct pkg-config file.
> It only affects the old distros, however. In current SUSE with OpenSSL 1.1
> the  engines dir changed and is correct.

I can go for that.

> Since you seem to be working on openssl_tpm_engine to work against OpenSSL
> 1.1: I did the same a while ago and currently maintain a fork, since upstream
> seems to be dead: https://github.com/mgerstner/openssl_tpm_engine

openssl_tpm_engine is basically legacy.  I use it on one of my systems because it has a 1.2 TPM but all the rest are 2.0.

The 0004-e_tpm-reduce-TPM-connection-time.patch is basically a rewrite of the engine to operate more like openssl_tpm2_engine because I ran into a scaling problem (I use about 12 TPM keys on my standard systems).

Looking at your patches I'd say you mostly did what I did to it. The only problematic piece is using environment variables: you should really use engine config options instead because some systems can't change the environment

Comment 12 Vítězslav Čížek 2018-08-16 13:52:16 UTC

The pkg-config now returns the correct enginesdir path: /lib64/engines.

Comment 16 Swamp Workflow Management 2018-09-28 10:11:42 UTC

SUSE-SU-2018:2928-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1089039,1101246,1101470,1104789,1106197,997043
CVE References: CVE-2018-0737
Sources used:
SUSE OpenStack Cloud 7 (src):    openssl-1.0.2j-60.39.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    openssl-1.0.2j-60.39.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    openssl-1.0.2j-60.39.1
SUSE Linux Enterprise Server 12-SP3 (src):    openssl-1.0.2j-60.39.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    openssl-1.0.2j-60.39.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    openssl-1.0.2j-60.39.1
SUSE Enterprise Storage 4 (src):    openssl-1.0.2j-60.39.1
SUSE CaaS Platform ALL (src):    openssl-1.0.2j-60.39.1
SUSE CaaS Platform 3.0 (src):    openssl-1.0.2j-60.39.1
OpenStack Cloud Magnum Orchestration 7 (src):    openssl-1.0.2j-60.39.1

Comment 17 Swamp Workflow Management 2018-09-30 16:10:10 UTC

openSUSE-SU-2018:2957-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1089039,1101246,1101470,1104789,1106197,997043
CVE References: CVE-2018-0737
Sources used:
openSUSE Leap 42.3 (src):    openssl-1.0.2j-29.1

Comment 18 Swamp Workflow Management 2018-10-18 17:57:05 UTC

SUSE-SU-2018:2928-2: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1089039,1101246,1101470,1104789,1106197,997043
CVE References: CVE-2018-0737
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    openssl-1.0.2j-60.39.1

Comment 23 Swamp Workflow Management 2022-02-16 20:54:29 UTC

SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available.

Category: feature (moderate)
Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668
CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712
JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135
Sources used:
SUSE Manager Tools 12-BETA (src):    venv-salt-minion-3002.2-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.