Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-110020

Presence of ENGINE_load_builtin_engines symbol breaks portable code

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Critical Critical
    • None
    • rhel-10.0
    • openssl
    • None
    • Yes
    • None
    • rhel-security-crypto
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      The openssl build for RHEL10 includes engine support, and includes the symbol ENGINE_load_private_key.

      Instead of compiling openssl without engine support, the openssl/engine.h file has been zeroed out.

      This means the following autoconf test succeeds:

      AC_CHECK_HEADERS([apr_crypto.h apr_strings.h apr_hash.h openssl/err.h openssl/pem.h openssl/x509.h openssl/x509v3.h openssl/asn1.h openssl/engine.h openssl/store.h time.h])

      And so does the following autoconf test:

      AC_CHECK_FUNCS([apr_file_link \
                apr_crypto_clear \
                X509_REVOKED_get0_revocationDate \
                X509_REVOKED_get0_serialNumber \
                ASN1_STRING_get0_data \
                X509_CRL_get0_lastUpdate \
                X509_CRL_get0_nextUpdate \
                ENGINE_load_private_key \
                OSSL_STORE_open_ex])

      Code relying on detecting ENGINE_load_private_key then breaks, because despite the header file being present, and the symbol being present, the definition is absent, and so portable code breaks.

      What needs to be done instead is that openssl be genuinely not installed with engine support, so that none of the ENGINE_* symbols exist.

      The OPENSSL_NO_ENGINE symbol will disappear when engine support is removed from openssl, and this will break portable code, so relying on OPENSSL_NO_ENGINE is not a solution.

      What were you trying to do that didn't work?

      Compile portable code on RHEL10.

      What is the impact of this issue to you?

      Portable code no longer builds, special RHEL-only hacks need to be employed to work around this.

      Please provide the package NVR for which the bug is seen:

      openssl-libs-3.2.2-16.el10.x86_64

      How reproducible is this bug?:

      Always.

      Steps to reproduce

      1. Use autoconf tests above
      2. Portable code fails to build

      Expected results

      AC_CHECK_FUNCS should not detect ENGINE_load_private_key.

      Actual results

      AC_CHECK_FUNCS detects ENGINE_load_private_key, and this leads to portable code thinking engine support is present when it is not.

      To fix this, ensure that openssl is genuinely not building engine support.

              minfrin Graham Leggett
              minfrin Graham Leggett
              Dmitry Belyavskiy Dmitry Belyavskiy
              George Pantelakis George Pantelakis
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: