You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using the TPM2 provider with OpenSSL s_server to load a private key from a TPM handle, the s_server command fails to process the password provided through the -pass option. This results in a signing error and ultimately fails the SSL handshake.
Steps to Reproduce:
Store a private key in the TPM under handle 0x81000007.
Observe that the password provided via -pass is not properly processed, resulting in TPM authorization failure.
Expected Behavior: The -pass option should pass the password correctly to the TPM2 provider, allowing successful authorization and SSL handshake.
Actual Behavior: The following errors occur during execution:
PROVIDER INIT
STORE/OBJECT OPEN handle:0x81000007
STORE/OBJECT SET_PARAMS [ properties ]
STORE/OBJECT SET_PARAMS [ expect ]
STORE/OBJECT LOAD
STORE/OBJECT LOAD pkey
STORE/OBJECT LOAD found RSA
RSA LOAD
RSA GET_PARAMS [ bits security-bits max-size ]
RSA HAS 1
STORE/OBJECT CLOSE
RAND NEW
RAND NEW
RAND GET_CTX_PARAMS [ max_request ]
RAND GENERATE
DER DECODER DECODE
RSA IMPORT [ n e ]
ACCEPT
SIGN DIGEST_INIT rsa MD=SHA256
WARNING:esys:src/tss2-esys/api/Esys_Sign.c:311:Esys_Sign_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Sign.c:105:Esys_Sign() Esys Finish ErrorCode (0x0000098e)
ERROR
801B1F0BD97C0000:error:4000000F:tpm2:tpm2_signature_digest_sign:cannot sign:src/tpm2-provider-signature.c:498:2446 tpm:session(1):the authorization HMAC check failed and DA counter incremented
801B1F0BD97C0000:error:0A080006:SSL routines:tls_construct_cert_verify:EVP lib:../ssl/statem/statem_lib.c:361:
shutting down SSL
CONNECTION CLOSED
Analysis:
The error 0x0000098e indicates an HMAC authorization failure, suggesting that the password was not passed correctly.
The TPM provider does not appear to handle the -pass option properly when loading the key by handle.
Environment:
OpenSSL Version: 3.0.2
TPM2-Openssl Commit: master
TPM Software Stack: [Provide version of tpm2-tss and tpm2-tools]
Operating System: Ubuntu 22.04
When using the TPM2 provider with OpenSSL s_server to load a private key from a TPM handle, the s_server command fails to process the password provided through the -pass option. This results in a signing error and ultimately fails the SSL handshake.
Steps to Reproduce:
Store a private key in the TPM under handle 0x81000007.
Run the following OpenSSL s_server command:
Observe that the password provided via -pass is not properly processed, resulting in TPM authorization failure.
Expected Behavior: The -pass option should pass the password correctly to the TPM2 provider, allowing successful authorization and SSL handshake.
Actual Behavior: The following errors occur during execution:
Analysis:
The error 0x0000098e indicates an HMAC authorization failure, suggesting that the password was not passed correctly.
The TPM provider does not appear to handle the -pass option properly when loading the key by handle.
Environment:
OpenSSL Version: 3.0.2
TPM2-Openssl Commit: master
TPM Software Stack: [Provide version of tpm2-tss and tpm2-tools]
Operating System: Ubuntu 22.04
Additional Information: Relevant code section in tpm2-provider-signature.c: https://github.com/tpm2-software/tpm2-openssl/blame/04b2520873ce02fa6a8b64081633ecc879dee127/src/tpm2-provider-signature.c#L505
The text was updated successfully, but these errors were encountered: