-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support with OpenSSL 3.1.x #1
Comments
I just made a quick test an managed at least to compile the codebase against openSSL 3.3.2, although there are a lot of deprecation warnings appearing during compilation. What exactly is your issue? Are there runtime errors? |
Hi Matthias,
Thanks for the response. I was also able to compile openssl-tpm-engine with
OpenSSL-3.1.6 without any issue. However I am facing issues when trying to
do curl operations from my Ruckus ICX device with the tpm option and using
a wrapped key, cert pair. In this case I am using openssl-tpm-engine-0.5,
trousers-3.15.0 and ICX device all of which are compiled with
OpenSSL-3.1.6. When I have compiled with --enable-debug option, I have
observed the following error logs.
Note: The same curl command works fine if the openssl-tpm-engine,
trousers-3.15.0 is compiled with the 1.1.x OpenSSL version and device image
itself is also compiled with the OpenSSL 1.1.x version. Based on the error
logs it seems to check if the padding is not PKCSv1.5 (function argument
got padding value passed as 3 which is no padding) and return from the
function *tpm_rsa_priv_enc*.
*Debug Outputs of a curl command which is used to get the device state
while connecting to internally managed cloud:*
DEBUG e_tpm_err.c:283 ERR_load_TPM_strings
DEBUG e_tpm_err.c:286 TPM_lib_error_code is 128
DEBUG e_tpm.c:381 tpm_engine_init
..
..
..
DEBUG e_tpm.c:647 tpm_engine_load_key
DEBUG e_tpm.c:682 Loading blob of size: 559
DEBUG e_tpm.c:897 tpm_rsa_init
DEBUG e_tpm.c:563 fill_out_rsa_object
DEBUG e_tpm.c:616 Setting hKey(0xc0000006) in RSA object
DEBUG e_tpm.c:617 Setting encScheme(0x11) in RSA object
DEBUG e_tpm.c:618 Setting sigScheme(0x12) in RSA object
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
DEBUG e_tpm.c:1154 tpm_rsa_priv_enc
DEBUG e_tpm_err.c:317 ERR_TSS_error
F76DA230:error:40000078:lib(128):(unknown
function):reason(120):e_tpm.c:1168:
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
..
..
..
..
..
* SSL certificate verify result: unable to get local issuer certificate
(20), continuing anyway.
* TLSv1.2 (OUT), TLS header, Unknown (23):
..
..
..
User-Agent: curl/7.70.0
Accept: */*
Content-Type:application/json
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS alert, decrypt error (563):
* OpenSSL SSL_read: error:0A00041B:lib(20)::reason(1051), errno 0
* Closing connection 0
DEBUG e_tpm.c:914 tpm_rsa_finish
curl: (56) OpenSSL SSL_read: error:0A00041B:lib(20)::reason(1051), errno 0
DEBUG e_tpm.c:515 tpm_engine_finish.
I am trying to debug the same but as it is a black box for me and so I am
currently stuck on this. Request your help in resolving this issue. I
would heavily appreciate any pointers on what could be causing this and
what can be done to resolve the same.
Thanks,
Abhilash.
…On Mon, Dec 30, 2024 at 4:06 PM Matthias Gerstner ***@***.***> wrote:
I just made a quick test an managed at least to compile the codebase
against openSSL 3.3.2, although there are a lot of deprecation warnings
appearing during compilation.
What exactly is your issue? Are there runtime errors?
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AU2RSLHMLRTPLHPPJC5VLDL2IEOZZAVCNFSM6AAAAABS2TAUE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNRVGMYDENJQGE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
There is something off with this line number. Did you use the current version of |
Is there a plan to upgrade this to latest openSSL3.1.6 to work with TPM1.2 engine?
The text was updated successfully, but these errors were encountered: