Bugzilla – Bug 1101246
openssl: pkg-config enginesdir returns wrong directory, breaks openssl_tpm_engine
Last modified: 2022-02-16 20:54:29 UTC
Created attachment 776975 [details] Do a manual test for the engines directory instead of using pkgconfig This recent patch: Author: Matthias Gerstner <matthias.gerstner@suse.de> Date: Mon Dec 4 17:54:12 2017 +0100 autotools: make engine plugin installation pkg-config aware and configurable is causing the engines directory for libtpm.so to be wrong. The fault looks to be in libcrypto.pc because jejb@jarvis:~/git/linux> pkg-config --variable=enginesdir libcrypto /usr/lib64/engines but if you do jejb@jarvis:~/git/linux> rpm -ql libopenssl1_0_0|grep engines /lib64/engines /lib64/engines/libgost.so /lib64/engines/libpadlock.so So the engines are in /lib64 not /usr/lib64. I fixed this with the attached patch to configure.in (it basically asks openssl config to find the engines directory rather than relying on pkg-config)
Thank you for the report. Your put this into the version category for Leap 42.3. But 42.3 does not contain this patch. So is this regarding Leap 15.0 or Tumbleweed instead?
So just to get your problem right: The openssl_tpm_engine is installed in the correct directory along with the standard openssl engines. But you want to evaluate the enginesdir returned by pkg-config and it is this path that gives you issues, yes?
(In reply to Matthias Gerstner from comment #1) > Thank you for the report. > > Your put this into the version category for Leap 42.3. But 42.3 does not > contain this patch. So is this regarding Leap 15.0 or Tumbleweed instead? I build the latest openssl_tpm_engine for Leap_42.3: https://build.opensuse.org/package/show/home:jejb1:Tumbleweed/openssl_tpm_engine So I noticed it on Leap_42.3 (and the pkg-config mismatch must be in the Leap_32.3 openssl) but it's building the security/openssl_tpm_engine package
(In reply to Matthias Gerstner from comment #2) > So just to get your problem right: The openssl_tpm_engine is installed in the > correct directory along with the standard openssl engines. But you want to > evaluate the enginesdir returned by pkg-config and it is this path that gives > you issues, yes? No, it's installed in the wrong directory. On the Leap_42.3 version the engines are in /lib64/engines, but when you build this package it tries to install the engine in /usr/lib64/engines, which doesn't even exist as a directory and which openssl doesn't check when enabling engines.
Oh, so you are building openssl_tpm_engine in your home project for Leap 42.3 and applied that patch from the devel project. I was looking at the stock Leap 42.3 openssl_tpm_engine which installs correctly. I don't think it makes sense to patch this in openssl_tpm_engine. The libopenssl-devel package should be fixed to ship a correct pkg-config file. It only affects the old distros, however. In current SUSE with OpenSSL 1.1 the engines dir changed and is correct. Since you seem to be working on openssl_tpm_engine to work against OpenSSL 1.1: I did the same a while ago and currently maintain a fork, since upstream seems to be dead: https://github.com/mgerstner/openssl_tpm_engine
Assigning to the openssl maintainer. Can you shed some light on this? openssl-devel from the SLE-12-SP2 codestream reports: $ pkg-config --variable=enginesdir libcrypto /usr/lib64/engines But the engines are actually installed in /lib64/engines. This breaks third-party engines that use pkg-config to determine the openssl engine directory.
Yes, that needs to be fixed. (Also reported recently by Marcus in bug 997043 comment 15)
(In reply to Matthias Gerstner from comment #5) > Oh, so you are building openssl_tpm_engine in your home project for Leap 42.3 > and applied that patch from the devel project. I was looking at the stock > Leap 42.3 openssl_tpm_engine which installs correctly. > > I don't think it makes sense to patch this in openssl_tpm_engine. The > libopenssl-devel package should be fixed to ship a correct pkg-config file. > It only affects the old distros, however. In current SUSE with OpenSSL 1.1 > the engines dir changed and is correct. I can go for that. > Since you seem to be working on openssl_tpm_engine to work against OpenSSL > 1.1: I did the same a while ago and currently maintain a fork, since upstream > seems to be dead: https://github.com/mgerstner/openssl_tpm_engine openssl_tpm_engine is basically legacy. I use it on one of my systems because it has a 1.2 TPM but all the rest are 2.0. The 0004-e_tpm-reduce-TPM-connection-time.patch is basically a rewrite of the engine to operate more like openssl_tpm2_engine because I ran into a scaling problem (I use about 12 TPM keys on my standard systems). Looking at your patches I'd say you mostly did what I did to it. The only problematic piece is using environment variables: you should really use engine config options instead because some systems can't change the environment
The pkg-config now returns the correct enginesdir path: /lib64/engines.
SUSE-SU-2018:2928-1: An update that solves one vulnerability and has 5 fixes is now available. Category: security (moderate) Bug References: 1089039,1101246,1101470,1104789,1106197,997043 CVE References: CVE-2018-0737 Sources used: SUSE OpenStack Cloud 7 (src): openssl-1.0.2j-60.39.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): openssl-1.0.2j-60.39.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): openssl-1.0.2j-60.39.1 SUSE Linux Enterprise Server 12-SP3 (src): openssl-1.0.2j-60.39.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): openssl-1.0.2j-60.39.1 SUSE Linux Enterprise Desktop 12-SP3 (src): openssl-1.0.2j-60.39.1 SUSE Enterprise Storage 4 (src): openssl-1.0.2j-60.39.1 SUSE CaaS Platform ALL (src): openssl-1.0.2j-60.39.1 SUSE CaaS Platform 3.0 (src): openssl-1.0.2j-60.39.1 OpenStack Cloud Magnum Orchestration 7 (src): openssl-1.0.2j-60.39.1
openSUSE-SU-2018:2957-1: An update that solves one vulnerability and has 5 fixes is now available. Category: security (moderate) Bug References: 1089039,1101246,1101470,1104789,1106197,997043 CVE References: CVE-2018-0737 Sources used: openSUSE Leap 42.3 (src): openssl-1.0.2j-29.1
SUSE-SU-2018:2928-2: An update that solves one vulnerability and has 5 fixes is now available. Category: security (moderate) Bug References: 1089039,1101246,1101470,1104789,1106197,997043 CVE References: CVE-2018-0737 Sources used: SUSE Linux Enterprise Server 12-SP2-BCL (src): openssl-1.0.2j-60.39.1
SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available. Category: feature (moderate) Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668 CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712 JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135 Sources used: SUSE Manager Tools 12-BETA (src): venv-salt-minion-3002.2-3.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.