openssl EVP_* detection in 'configure' does not heed CRYPTO_LIBS

[jhgit]

In case a system has more than one version of libcrypt installed in different locations, the configure script may detect the presence of EVP_sm3 and EVP_sm4_cfb128 ...

checking for EVP_sm3 in -lcrypto...yes
checking for EVP_sm4_cfb128 in -lcrypto... yes

But the build uses what CRYPTO_CFLAGS & CRYPTOLIBS are set to. If configure found the above EVP* functions, and the openssl library that CRYPTO_CFLAGS/CRYPT_LIBS points to does not have those functions, then you get a build error like so:

 .
 .
cc -DHAVE_CONFIG_H -I. -I./lib    -fPIC -I./tools -I./lib -D_GNU_SOURCE -std=gnu99 -fdata-sections -ffunction-sections -I/usr/local/include -I/usr/local/include/tss2 -O2 -pipe  -fstack-protector-strong -fno-strict-aliasing  -MT lib/libcommon_a-tpm2_identity_util.o -MD -MP -MF lib/.deps/libcommon_a-tpm2_identity_util.Tpo -c -o lib/libcommon_a-tpm2_identity_util.o `test -f 'lib/tpm2_identity_util.c' || echo './'`lib/tpm2_identity_util.c
lib/tpm2_identity_util.c:186:20: warning: implicit declaration of function 'EVP_sm4_cfb' is invalid in C99 [-Wimplicit-function-declaration]
            return EVP_sm4_cfb();
                   ^
lib/tpm2_identity_util.c:186:20: warning: incompatible integer to pointer conversion returning 'int' from a function with result type 'const EVP_CIPHER *' (aka 'const struct evp_cipher_st *') [-Wint-conversion]
            return EVP_sm4_cfb();
                   ^~~~~~~~~~~~~
 .
 .

/bin/sh ./libtool  --tag=CC   --mode=link cc -I./tools -I./lib -D_GNU_SOURCE -std=gnu99 -fdata-sections -ffunction-sections -I/usr/local/include -I/usr/local/include/tss2 -DTPM2_TOOLS_MAX="101" -O2 -pipe  -fstack-protector-strong -fno-strict-aliasing  -Wl,--gc-sections  -Wl,-rpath,/usr/local/lib -fstack-protector-strong  -o tools/tpm2 tools/tpm2-tpm2_tool.o tools/misc/tpm2-tpm2_certifyX509certutil.o tools/misc/tpm2-tpm2_checkquote.o tools/misc/tpm2-tpm2_encodeobject.o tools/misc/tpm2-tpm2_eventlog.o tools/misc/tpm2-tpm2_print.o tools/misc/tpm2-tpm2_rc_decode.o tools/tpm2-tpm2_activatecredential.o tools/tpm2-tpm2_certify.o tools/tpm2-tpm2_changeauth.o tools/tpm2-tpm2_changeeps.o tools/tpm2-tpm2_changepps.o tools/tpm2-tpm2_clear.o tools/tpm2-tpm2_clearcontrol.o tools/tpm2-tpm2_clockrateadjust.o tools/tpm2-tpm2_create.o tools/tpm2-tpm2_createak.o tools/tpm2-tpm2_createek.o tools/tpm2-tpm2_createpolicy.o tools/tpm2-tpm2_setprimarypolicy.o tools/tpm2-tpm2_createprimary.o tools/tpm2-tpm2_dictionarylockout.o tools/tpm2-tpm2_duplicate.o tools/tpm2-tpm2_getcap.o tools/tpm2-tpm2_gettestresult.o tools/tpm2-tpm2_encryptdecrypt.o tools/tpm2-tpm2_evictcontrol.o tools/tpm2-tpm2_flushcontext.o tools/tpm2-tpm2_getekcertificate.o tools/tpm2-tpm2_getrandom.o tools/tpm2-tpm2_gettime.o tools/tpm2-tpm2_hash.o tools/tpm2-tpm2_hierarchycontrol.o tools/tpm2-tpm2_hmac.o tools/tpm2-tpm2_import.o tools/tpm2-tpm2_incrementalselftest.o tools/tpm2-tpm2_load.o tools/tpm2-tpm2_loadexternal.o tools/tpm2-tpm2_makecredential.o tools/tpm2-tpm2_nvdefine.o tools/tpm2-tpm2_nvextend.o tools/tpm2-tpm2_nvincrement.o tools/tpm2-tpm2_nvreadpublic.o tools/tpm2-tpm2_nvread.o tools/tpm2-tpm2_nvreadlock.o tools/tpm2-tpm2_nvundefine.o tools/tpm2-tpm2_nvwrite.o tools/tpm2-tpm2_nvwritelock.o tools/tpm2-tpm2_nvsetbits.o tools/tpm2-tpm2_pcrallocate.o tools/tpm2-tpm2_pcrevent.o tools/tpm2-tpm2_pcrextend.o tools/tpm2-tpm2_pcrread.o tools/tpm2-tpm2_pcrreset.o tools/tpm2-tpm2_policypcr.o tools/tpm2-tpm2_policyauthorize.o tools/tpm2-tpm2_policyauthorizenv.o tools/tpm2-tpm2_policynv.o tools/tpm2-tpm2_policycountertimer.o tools/tpm2-tpm2_policyor.o tools/tpm2-tpm2_policynamehash.o tools/tpm2-tpm2_policytemplate.o tools/tpm2-tpm2_policycphash.o tools/tpm2-tpm2_policypassword.o tools/tpm2-tpm2_policysigned.o tools/tpm2-tpm2_policyticket.o tools/tpm2-tpm2_policyauthvalue.o tools/tpm2-tpm2_policysecret.o tools/tpm2-tpm2_policyrestart.o tools/tpm2-tpm2_policycommandcode.o tools/tpm2-tpm2_policynvwritten.o tools/tpm2-tpm2_policyduplicationselect.o tools/tpm2-tpm2_policylocality.o tools/tpm2-tpm2_quote.o tools/tpm2-tpm2_readclock.o tools/tpm2-tpm2_readpublic.o tools/tpm2-tpm2_rsadecrypt.o tools/tpm2-tpm2_rsaencrypt.o tools/tpm2-tpm2_send.o tools/tpm2-tpm2_selftest.o tools/tpm2-tpm2_setclock.o tools/tpm2-tpm2_shutdown.o tools/tpm2-tpm2_sign.o tools/tpm2-tpm2_certifycreation.o tools/tpm2-tpm2_nvcertify.o tools/tpm2-tpm2_startauthsession.o tools/tpm2-tpm2_startup.o tools/tpm2-tpm2_stirrandom.o tools/tpm2-tpm2_testparms.o tools/tpm2-tpm2_unseal.o tools/tpm2-tpm2_verifysignature.o tools/tpm2-tpm2_setcommandauditstatus.o tools/tpm2-tpm2_getcommandauditdigest.o tools/tpm2-tpm2_getsessionauditdigest.o tools/tpm2-tpm2_geteccparameters.o tools/tpm2-tpm2_ecephemeral.o tools/tpm2-tpm2_commit.o tools/tpm2-tpm2_ecdhkeygen.o tools/tpm2-tpm2_ecdhzgen.o tools/tpm2-tpm2_zgen2phase.o tools/tpm2-tpm2_sessionconfig.o tools/tpm2-tpm2_getpolicydigest.o lib/libcommon.a -ltss2-esys -L/usr/local/lib -ltss2-mu -lcrypto -ltss2-tctildr -ltss2-rc -ltss2-sys -lcurl
libtool: link: cc -I./tools -I./lib -D_GNU_SOURCE -std=gnu99 -fdata-sections -ffunction-sections -I/usr/local/include -I/usr/local/include/tss2 -DTPM2_TOOLS_MAX=101 -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -Wl,--gc-sections -Wl,-rpath -Wl,/usr/local/lib -fstack-protector-strong -o tools/tpm2 tools/tpm2-tpm2_tool.o tools/misc/tpm2-tpm2_certifyX509certutil.o tools/misc/tpm2-tpm2_checkquote.o tools/misc/tpm2-tpm2_encodeobject.o tools/misc/tpm2-tpm2_eventlog.o tools/misc/tpm2-tpm2_print.o tools/misc/tpm2-tpm2_rc_decode.o tools/tpm2-tpm2_activatecredential.o tools/tpm2-tpm2_certify.o tools/tpm2-tpm2_changeauth.o tools/tpm2-tpm2_changeeps.o tools/tpm2-tpm2_changepps.o tools/tpm2-tpm2_clear.o tools/tpm2-tpm2_clearcontrol.o tools/tpm2-tpm2_clockrateadjust.o tools/tpm2-tpm2_create.o tools/tpm2-tpm2_createak.o tools/tpm2-tpm2_createek.o tools/tpm2-tpm2_createpolicy.o tools/tpm2-tpm2_setprimarypolicy.o tools/tpm2-tpm2_createprimary.o tools/tpm2-tpm2_dictionarylockout.o tools/tpm2-tpm2_duplicate.o tools/tpm2-tpm2_getcap.o tools/tpm2-tpm2_gettestresult.o tools/tpm2-tpm2_encryptdecrypt.o tools/tpm2-tpm2_evictcontrol.o tools/tpm2-tpm2_flushcontext.o tools/tpm2-tpm2_getekcertificate.o tools/tpm2-tpm2_getrandom.o tools/tpm2-tpm2_gettime.o tools/tpm2-tpm2_hash.o tools/tpm2-tpm2_hierarchycontrol.o tools/tpm2-tpm2_hmac.o tools/tpm2-tpm2_import.o tools/tpm2-tpm2_incrementalselftest.o tools/tpm2-tpm2_load.o tools/tpm2-tpm2_loadexternal.o tools/tpm2-tpm2_makecredential.o tools/tpm2-tpm2_nvdefine.o tools/tpm2-tpm2_nvextend.o tools/tpm2-tpm2_nvincrement.o tools/tpm2-tpm2_nvreadpublic.o tools/tpm2-tpm2_nvread.o tools/tpm2-tpm2_nvreadlock.o tools/tpm2-tpm2_nvundefine.o tools/tpm2-tpm2_nvwrite.o tools/tpm2-tpm2_nvwritelock.o tools/tpm2-tpm2_nvsetbits.o tools/tpm2-tpm2_pcrallocate.o tools/tpm2-tpm2_pcrevent.o tools/tpm2-tpm2_pcrextend.o tools/tpm2-tpm2_pcrread.o tools/tpm2-tpm2_pcrreset.o tools/tpm2-tpm2_policypcr.o tools/tpm2-tpm2_policyauthorize.o tools/tpm2-tpm2_policyauthorizenv.o tools/tpm2-tpm2_policynv.o tools/tpm2-tpm2_policycountertimer.o tools/tpm2-tpm2_policyor.o tools/tpm2-tpm2_policynamehash.o tools/tpm2-tpm2_policytemplate.o tools/tpm2-tpm2_policycphash.o tools/tpm2-tpm2_policypassword.o tools/tpm2-tpm2_policysigned.o tools/tpm2-tpm2_policyticket.o tools/tpm2-tpm2_policyauthvalue.o tools/tpm2-tpm2_policysecret.o tools/tpm2-tpm2_policyrestart.o tools/tpm2-tpm2_policycommandcode.o tools/tpm2-tpm2_policynvwritten.o tools/tpm2-tpm2_policyduplicationselect.o tools/tpm2-tpm2_policylocality.o tools/tpm2-tpm2_quote.o tools/tpm2-tpm2_readclock.o tools/tpm2-tpm2_readpublic.o tools/tpm2-tpm2_rsadecrypt.o tools/tpm2-tpm2_rsaencrypt.o tools/tpm2-tpm2_send.o tools/tpm2-tpm2_selftest.o tools/tpm2-tpm2_setclock.o tools/tpm2-tpm2_shutdown.o tools/tpm2-tpm2_sign.o tools/tpm2-tpm2_certifycreation.o tools/tpm2-tpm2_nvcertify.o tools/tpm2-tpm2_startauthsession.o tools/tpm2-tpm2_startup.o tools/tpm2-tpm2_stirrandom.o tools/tpm2-tpm2_testparms.o tools/tpm2-tpm2_unseal.o tools/tpm2-tpm2_verifysignature.o tools/tpm2-tpm2_setcommandauditstatus.o tools/tpm2-tpm2_getcommandauditdigest.o tools/tpm2-tpm2_getsessionauditdigest.o tools/tpm2-tpm2_geteccparameters.o tools/tpm2-tpm2_ecephemeral.o tools/tpm2-tpm2_commit.o tools/tpm2-tpm2_ecdhkeygen.o tools/tpm2-tpm2_ecdhzgen.o tools/tpm2-tpm2_zgen2phase.o tools/tpm2-tpm2_sessionconfig.o tools/tpm2-tpm2_getpolicydigest.o  lib/libcommon.a -ltss2-esys -L/usr/local/lib -ltss2-mu -lcrypto -ltss2-tctildr -ltss2-rc -ltss2-sys -lcurl
ld: error: undefined symbol: EVP_sm4_cfb
>>> referenced by tpm2_identity_util.c
>>>               libcommon_a-tpm2_identity_util.o:(aes_encrypt_buffers) in archive lib/libcommon.a

ld: error: undefined symbol: EVP_sm3
>>> referenced by tpm2_openssl.c
>>>               libcommon_a-tpm2_openssl.o:(tpm2_openssl_md_from_tpmhalg) in archive lib/libcommon.a
>>> referenced by tpm2_openssl.c
>>>               libcommon_a-tpm2_openssl.o:(tpm2_openssl_hash_compute_data) in archive lib/libcommon.a
>>> referenced by tpm2_openssl.c
>>>               libcommon_a-tpm2_openssl.o:(tpm2_openssl_pcr_extend) in archive lib/libcommon.a
>>> referenced 3 more times
cc: error: linker command failed with exit code 1 (use -v to see invocation)
gmake[1]: *** [Makefile:2474: tools/tpm2] Error 1
gmake[1]: Leaving directory '/wrkdirs/usr/ports/security/tpm2-tools/work/tpm2-tools-5.5'

[jhgit]

The following patch against the configure script (as distributed with the 5.5 release) solves the problem:

@@ -0,0 +1,20 @@
+--- configure.orig     2023-02-13 15:09:39 UTC
++++ configure
+@@ -14030,7 +14030,7 @@ if ${ac_cv_lib_crypto_EVP_sm3+:} false; then :
+   $as_echo_n "(cached) " >&6
+ else
+   ac_check_lib_save_LIBS=$LIBS
+-LIBS="-lcrypto  $LIBS"
++LIBS="${CRYPTO_LIBS}  $LIBS"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+
+@@ -14073,7 +14073,7 @@ if ${ac_cv_lib_crypto_EVP_sm4_cfb128+:} false; then :
+   $as_echo_n "(cached) " >&6
+ else
+   ac_check_lib_save_LIBS=$LIBS
+-LIBS="-lcrypto  $LIBS"
++LIBS="${CRYPTO_LIBS}  $LIBS"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+

I don't have a simple patch against configure.ac at the moment. AC_CHECK_LIB doesn't seem to support adding flags.

[jhgit]

I don't have a simple patch against configure.ac at the moment. AC_CHECK_LIB doesn't seem to support adding flags.

This does the job...

--- configure.ac.orig       2022-11-28 17:44:51.000000000 +0000
+++ configure.ac    2023-10-04 01:17:28.642321000 +0000
@@ -74,12 +74,15 @@ PKG_CHECK_MODULES([TSS2_MU], [tss2-mu])
 PKG_CHECK_MODULES([TSS2_RC], [tss2-rc])
 PKG_CHECK_MODULES([TSS2_SYS], [tss2-sys])
 PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.1.0])
+LIBS_save="${LIBS}"
+LIBS="${CRYPTO_LIBS} ${LIBS}"
 AC_CHECK_LIB(crypto, [EVP_sm3], [
         AC_DEFINE([HAVE_EVP_SM3], [1], [Support EVP_sm3 in openssl])],
         [])
 AC_CHECK_LIB(crypto, [EVP_sm4_cfb128], [
         AC_DEFINE([HAVE_EVP_SM4_CFB], [1], [Support EVP_sm4_cfb in openssl])],
         [])
+LIBS="${LIBS_save}"
 PKG_CHECK_MODULES([CURL], [libcurl])

 # pretty print of devicepath if efivar library is present