Recommended update for tpm2-openssl

Announcement ID:	SUSE-RU-2024:3847-1
Release Date:	2024-10-31T10:07:28Z
Rating:	moderate
References:	bsc#1222899 jsc#PED-11053
Affected Products:	Basesystem Module 15-SP6 openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that contains one feature and has one fix can now be installed.

Description:

This update for tpm2-openssl fixes the following issues:

This update ships tpm2-openssl. (bsc#1222899, jsc#PED-11053)

Added:

• Added support for ECDH with a KDF, which is used by ECC-based CMS (S/MIME).
• Added retrieval of OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY for EC keys and retrieval of TLS-GROUP provider capabilities to enable mTLS authentication (thanks to @rshearman).
• Added mTLS example to documentation (thanks to @hoinmic).
• Added missing RAND parameters: 'state' and 'strength' (thanks to @mccarey).
• Added ability to run tests in a container (thanks to @afreof).
• Added Visual Studio properties to simplify the Windows build (thanks to @philippun1).

Changed: * Symmetric operations are disabled by default. In most situations these are not needed and cause a huge performance penalty. To enable, configure with --enable-op-digest or --enable-op-cipher.

Removed: * Removed unofficial support for tpm2-tss < 3.2.0, which do not support the openssl 3.x.

Fixed:

• Fixed key export: the private keys are not exportable, which shall fix some TPM-based sign operations (thanks to @fhars).
• Fixed handle related operations on 32b machines (thanks to @dezgeg).
• Fixed OSSL_FUNC_KEYMGMT_HAS operations with NULL keys.
• Fixed a heap exception on some machines (thanks to @philippun1).
• Fixed build warnings when building on the Fedora Linux.
• In documentation and tests applied a correct order of providers (thanks to @hoinmic).
• Modified documentation: the user-space resource manager (abrmd) is almost mandatory for complex scenarios such as SSL or X.509 operations.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.6
  zypper in -t patch SUSE-2024-3847=1 openSUSE-SLE-15.6-2024-3847=1
• Basesystem Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2024-3847=1

Package List:

• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
  • tpm2-openssl-1.2.0-150600.13.3.1
  • tpm2-openssl-debuginfo-1.2.0-150600.13.3.1
  • tpm2-openssl-debugsource-1.2.0-150600.13.3.1
• Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
  • tpm2-openssl-1.2.0-150600.13.3.1
  • tpm2-openssl-debuginfo-1.2.0-150600.13.3.1
  • tpm2-openssl-debugsource-1.2.0-150600.13.3.1

References:

• https://bugzilla.suse.com/show_bug.cgi?id=1222899
• https://jira.suse.com/browse/PED-11053