Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1883012 - mbedtls-devel shared libs link against openssl libcrypto.so.1.1 due to -DUSE_PKCS11_HELPER_LIBRARY=ON
Summary: mbedtls-devel shared libs link against openssl libcrypto.so.1.1 due to -DUSE_...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: mbedtls
Version: 32
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Morten Stevens
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-27 13:24 UTC by gs-fedoraproject.org
Modified: 2020-10-23 22:14 UTC (History)
3 users (show)

Fixed In Version: mbedtls-2.16.8-2.fc33
Doc Type: ---
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-23 22:14:54 UTC
Type: Bug


Attachments (Terms of Use)

Description gs-fedoraproject.org 2020-09-27 13:24:58 UTC
Description of problem:
mbedtls-devel package shared libs link against openssl libcrypto.so.1.1 due to enabled feature dependency on libpkcs11-helper.  This results in a larger base memory footprint of programs using the mbedtls libraries, not "light-weight" as intended.

Version-Release number of selected component (if applicable):
2.16.8

How reproducible:
always

Steps to Reproduce:
1. Build mbedtls-devel package with and without -DUSE_PKCS11_HELPER_LIBRARY=ON and with and without -DENABLE_ZLIB_SUPPORT=ON defined in mbedtls.spec

Actual results:
$ ldd /lib64/libmbedtls.so
	linux-vdso.so.1 (0x00007fff48a95000)
	libz.so.1 => /lib64/libz.so.1 (0x00007f4abaf71000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f4abaf4f000)
	libmbedx509.so.0 => /lib64/libmbedx509.so.0 (0x00007f4abaf2c000)
	libmbedcrypto.so.3 => /lib64/libmbedcrypto.so.3 (0x00007f4abaec6000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f4abacfc000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f4abafe0000)
	libpkcs11-helper.so.1 => /lib64/libpkcs11-helper.so.1 (0x00007f4abacdc000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f4abacd3000)
	libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f4aba9e6000)

Expected results:
(from a sample build from source, also excluding pthread for my test)
$ ldd library/*.so
library/libmbedtls.so:
	linux-vdso.so.1 (0x00007fff50bdc000)
	libmbedcrypto.so.5 => /lib64/libmbedcrypto.so.5 (0x00007f031ccd5000)
	libmbedx509.so.1 => /lib64/libmbedx509.so.1 (0x00007f031ccb5000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f3c0ecf1000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f3c0ef0f000)

Additional info:

mbedtls package description:
Description :
Mbed TLS is a light-weight open source cryptographic and SSL/TLS
library written in C. Mbed TLS makes it easy for developers to include
cryptographic and SSL/TLS capabilities in their (embedded)
applications with as little hassle as possible.

Yet mbedtls.spec contains
%cmake \
        -DCMAKE_BUILD_TYPE=Release \
        -DLINK_WITH_PTHREAD=ON \
        -DUSE_PKCS11_HELPER_LIBRARY=ON \
        -DENABLE_ZLIB_SUPPORT=ON \
        -DINSTALL_MBEDTLS_HEADERS=ON \
        -DUSE_SHARED_MBEDTLS_LIBRARY=ON \
        -DUSE_STATIC_MBEDTLS_LIBRARY=ON

Including -DUSE_PKCS11_HELPER_LIBRARY=ON ends up using pkcs11-helper package, which depends on openssl-devel
$ rpm -qR pkcs11-helper
...
libcrypto.so.1.1()(64bit)
libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)

==> Please consider removing the -DUSE_PKCS11_HELPER_LIBRARY=ON feature in mbedtls-devel in a future release of Fedora.

While on the subject of optional features, please also consider omitting -DENABLE_ZLIB_SUPPORT=ON since compression in the TLS layer has known security flaws and TLS Compression use is deprecated.

Note that USE_PKCS11_HELPER_LIBRARY and ENABLE_ZLIB_SUPPORT default to OFF -- they are not enabled by default -- in the official source code for mbedtls.

Comment 1 Fedora Update System 2020-10-15 11:16:29 UTC
FEDORA-2020-dce9999ec7 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-dce9999ec7

Comment 2 Fedora Update System 2020-10-15 19:09:17 UTC
FEDORA-2020-dce9999ec7 has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-dce9999ec7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-dce9999ec7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 3 Fedora Update System 2020-10-23 22:14:54 UTC
FEDORA-2020-dce9999ec7 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.