Bug 1373864

Summary: openssl engines not detected
Product: [JBoss] JBoss Enterprise Web Server 2 Reporter: Lami Akagwu <lakagwu>
Component: opensslAssignee: George Zaronikas <gzaronik>
Status: CLOSED WONTFIX QA Contact: Michal Karm Babacek <mbabacek>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 2.1.1CC: gtedorst, lakagwu, rbost
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-13 12:20:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
sample openssl.cnf
none
test case openssl.conf none

Description Lami Akagwu 2016-09-07 10:11:11 UTC 
Description of problem:
Engine libs are not identified with EWS 2.1.1

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:

1. Go to zip install dir *
 $ pwd
 /home/guest/jboss/ews211

2. Set OPENSSL_CONF and LD_LIBRARY_PATH*

 $ echo $OPENSSL_CONF
 /home/guest/jboss/ews211/httpd/conf/openssl/pki/tls/openssl.cnf

 $ echo $LD_LIBRARY_PATH
 /home/guest/jboss/ews211/httpd/lib:/home/guest/ews211/httpd/lib:

3. Execute test and it fails*

 openssl/bin/openssl engine -t chil

140467685607240:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(/opt/rh/jbcs-httpd24/root/usr/lib64/openssl/engines/libchil.so): /opt/rh/jbcs-httpd24/root/usr/lib64/openssl/engines/libchil.so: cannot open shared object file: No such file or directory
140467685607240:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
140467685607240:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
140467685607240:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:392:id=chil

4. Tried to find where "(/opt/rh/jbcs-httpd24" was coming from 
 $ strings ./httpd/lib/libcrypto.so.1.0.2h  | grep jbcs
  OPENSSLDIR: "/opt/rh/jbcs-httpd24/root/etc/pki/tls"
 /opt/rh/jbcs-httpd24/root/usr/lib64/openssl/engines
 /opt/rh/jbcs-httpd24/root/etc/pki/tls/private
 /opt/rh/jbcs-httpd24/root/etc/pki/tls
 /opt/rh/jbcs-httpd24/root/etc/pki/tls/certs
 /opt/rh/jbcs-httpd24/root/etc/pki/tls/cert.pem


5. Tried setting config in /path-to/openssl.conf -still failed

 [guest@boom ews211]$ cat
 /home/guest/jboss/ews211/httpd/conf/openssl/pki/tls/openssl.cnf
 ...
 openssl_conf = openssl_def

 [openssl_def]
 engines = engine_section

 [engine_section]
 chil = chil_section

 [chil_section]
 engine_id = chil
 # Load engine from DSO
 dynamic_path = /home/guest/jboss/ews211/httpd/lib/openssl/engines/libchil.so

 **Output still the same as (3) above

6.  Tried the following **running openssl with the **`pre**` options *

 $ ./openssl/bin/openssl engine -vvvv dynamic -pre SO_PATH:/home/guest/jboss/ews211/httpd/lib/openssl/engines/libchil.so -pre LOAD
 (dynamic) Dynamic engine loading support
 [Success]:
 SO_PATH:/home/guest/jboss/ews211/httpd/lib/openssl/engines/libchil.so
 [Success]: LOAD
 Loaded: (chil) CHIL hardware engine support
      SO_PATH: Specifies the path to the 'hwcrhk' shared library
           (input flags): STRING
      FORK_CHECK: Turns fork() checking on (non-zero) or off (zero)
           (input flags): NUMERIC
      THREAD_LOCKING: Turns thread-safe locking on (zero) or off (non-zero)
           (input flags): NUMERIC
      SET_USER_INTERFACE: Set the global user interface (internal)
           (input flags): [Internal]
      SET_CALLBACK_DATA: Set the global user interface extra data (internal)
           (input flags): [Internal]

----------------------


Actual results:
1. Test fails to find chil library not detected
2. Test only works only if the libs are all in /opt/rh/jbcs-httpd24/root/usr/lib64/openssl/engines/lib

Expected results:
chil library and all other installed libraries should be detected

Additional info:
Comment 1 George Zaronikas 2016-09-07 10:55:08 UTC 
Hello Lami,

Quick question below

Based on EWS 2.1.1 release notes:
"To get your custom engine working, you have to set it in the upper section of the openssl.cnf file before any other section. Then, you need to export the OPENSSL_CONF variable to make openssl use this configuration. "

In my lab, this was responsible for not being able to get my custom enginer work. As of your step 5 now, and while your configuration seems correct, have you verified that you're adding the engine configuration in the upper section/start of openssl.cnf ?
Comment 2 Lami Akagwu 2016-09-07 11:09:44 UTC 
Can you provide a sample of your openssl.cnf for test purposes so I can compare
Comment 4 George Zaronikas 2016-09-07 11:50:46 UTC 
Created attachment 1198688 [details]
sample openssl.cnf

Please check my configuration and compare it with yours. Currently in my lab this configuration works as expected.
Comment 5 George Zaronikas 2016-09-07 11:52:35 UTC 
Also working with copying the lib to /opt/rh/jbcs-httpd24/root/usr/lib64/openssl/engines/lib is expected since this path is in the ld library path of openssl so it will look by default there if you don't specify the custom engine openssl
Comment 7 Lami Akagwu 2016-09-07 12:03:23 UTC 
Created attachment 1198689 [details]
test case openssl.conf
Comment 8 Michal Karm Babacek 2016-09-12 07:12:12 UTC 
Hello,

We had tested this dummy engine [1], consequently filed the
following bugzilla [2]. Finally we arrived to the conclusion
that is works. It correctly loads on my RHEL 6 VM at this very minute.

The key is to have OPENSSL_CONF exported, _having engine configuration
at the very top of the openssl.cnf file_ and last but not least,
to have the attribute dynamic_path st to the full path to the shared
object and to have correct LD_LIBRARY_PATH.

I'll keep an eye on this bugzilla and I'll amend our tests if necessary.


Cheers
-K-

[1] https://github.com/Karm/DummyCryptoDevice/blob/master/src/e_dummy.c
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1357521
Comment 9 Michal Karm Babacek 2016-09-12 07:14:05 UTC 
Lami, could you run ldd on the shared object you are trying lo load? Perhaps there is some wrong hardcoded linkage...
Comment 15 Lami Akagwu 2016-11-24 16:09:29 UTC 
I can confirm that after setting the following env properties 

export OPENSSL_CONF=/home/guest/jboss/ews211/httpd/conf/openssl/pki/tls/openssl.cnf
export LD_LIBRARY_PATH=/home/guest/jboss/ews211/httpd/lib:$LD_LIBRARY_PATH

+ the openssl.cnf  
openssl engine -t chil command detects the chil engine.

However starting SSL-enabled HSM-protected Apache HTTP Server by running one of the following command 
----
/opt/nfast/bin/preload -f /var/run/nfast/apache
–cardset-name=<token_name> /usr/local/apache2/bin/httpd -k start
----

The chil engine is being looked up in the wrong place ../opt/rh/jbcs-httpd24/root/..
-----
open("/opt/rh/jbcs-httpd24/root/usr/lib64/open                  /engines/libchil.so", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "Syntax error on line 124 of /web"..., 94) = 94
write(2, "SSLCryptoDevice: Invalid argumen"..., 112) = 112
select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
-----
Comment 18 Robert Bost 2016-12-06 21:14:40 UTC 
The wrong path to engines is being used. Setting OPENSSL_ENGINES environment variable to correct path resolves the issue. I've asked the customer to test.
Comment 19 Lami Akagwu 2016-12-09 14:17:31 UTC 
Verified : setting OPENSSL_ENGINES resolved the problem.
Release notes needs to be updated