Bug 1222930

Summary: openssl_tpm2_engine fails to build on Leap 15.6 - FAIL ../check_enhanced_auth.sh
Product: [openSUSE] openSUSE Distribution Reporter: Lubos Kocman <lubos.kocman>
Component: SecurityAssignee: James Bottomley <James.Bottomley>
Status: RESOLVED UPSTREAM QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: meissner
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Lubos Kocman 2024-04-16 22:20:58 UTC 
Hello

package  openssl_tpm2_engine fails to build on Leap 15.6

https://build.opensuse.org/package/live_build_log/openSUSE:Backports:SLE-15-SP6/openssl_tpm2_engine/standard/x86_64

[  304s] Engine "tpm2" set.
[  304s] TPM2_RSA_Decrypt failed with 2461
[  304s] TPM_RC_POLICY_FAIL - a policy check failed Session number 1
[  304s] Public Key operation error
[  304s] + exit 1
[  304s] FAIL ../check_enhanced_auth.sh (exit status: 1)
[  304s] 
[  304s] + exit 1
[  304s] error: Bad exit status from /var/tmp/rpm-tmp.ZOMS2J (%check)
Comment 1 James Bottomley 2024-04-17 12:49:33 UTC 
Actually, that's not the cause.  From the logs this is the problem:

[  304s] 40B78F4A6A7F0000:error:0800008D:elliptic curve routines:group_new_from_name:invalid curve:crypto/ec/ec_lib.c:1500:
[  304s] 40B7D648FF7E0000:error:0800008D:elliptic curve routines:group_new_from_name:invalid curve:crypto/ec/ec_lib.c:1500:
[  304s] genpkey: Error generating EC key
[  304s] 4087D5CF7F7F0000:error:08000081:elliptic curve routines:EC_GROUP_new_by_curve_name_ex:unknown group:crypto/ec/ec_curve.c:3293:name=SM2
[  304s] FAIL ../wrap_generic_ecc.sh (exit status: 1)

Which is an openssl failure when asked to generate a key using the curve sm2 (the chinese elliptic curve).

There's always been a known problem with TPMs having more curves than openssl understands (in particular, TPMs are required to support Barreto Naehrig curves which openssl refuses to support), so all curve tests that need openssl to verify have a compatibility test that looks like:

    if openssl ecparam -name ${curve} 2>&1 | egrep '(invalid|unknown) curve'; then
	continue
    fi
 
But if you look what happens on sm2, you get

> openssl ecparam -name sm2
unable to generate key
40876EF00F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (SM2 : 0), Properties (<null>)

So openssl now knows the curve (doesn't throw an unknown curve error) but has something missing that means it can't process it correctly.

The fix is to update the compatibility check to detect this case as well.  I'll see if I can produce a patch
Comment 2 James Bottomley 2024-04-19 16:51:05 UTC 
The fixes (for tests only) are in new upstream version 4.1.2 which has been submitted to factory.