tpm2-tss: Error starting session using the openssl engine - ErrorCode (0x00070001)
I added some traces to track the error when starting the auth session: Every trace is tagged as an ERROR so ignore the type of trace (I just wanted to make sure they showed up)
Using OpenSC’s pkcs11-tool with libtpm2_pkcs11.so.0.0.0 everything looks sane:
INFO on line: "406" in file: "src/pkcs11.c": enter "C_GetTokenInfo"
INFO on line: "406" in file: "src/pkcs11.c": return "C_GetTokenInfo" value: 0
INFO on line: "458" in file: "src/pkcs11.c": enter "C_Login"
INFO on line: "292" in file: "src/lib/backend_esysdb.c": token parent object handle is 0x40418487
ERROR on line: "355" in file: "src/lib/tpm.c": ------------------------------------------------
ERROR on line: "356" in file: "src/lib/tpm.c": TPM SESSION START
ERROR on line: "357" in file: "src/lib/tpm.c": ------------------------------------------------
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:110:Esys_StartAuthSession()
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:192:Esys_StartAuthSession_Async()
trace:esys:src/tss2-esys/api/Esys_StartAuthSession.c:193:Esys_StartAuthSession_Async() context=0x55cf4bfd3570, tpmKey=40418487, bind=40418487,nonceCaller=(nil), sessionType=00, symmetric=0x7ffeda2cb572,authHash=000b
trace:esys_crypto:src/tss2-esys/esys_crypto.c:34:iesys_crypto_hash_get_digest_size() call: hashAlg=11 size=0x7ffeda2ca7a0
trace:esys_crypto:src/tss2-esys/esys_crypto.c:59:iesys_crypto_hash_get_digest_size() return: *size=32
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:945:iesys_cryptossl_get_ecdh_point() CURVE 0x19f
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:982:iesys_cryptossl_get_ecdh_point() Get priv key [OK]
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:987:iesys_cryptossl_get_ecdh_point() Get pubx [OK]
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:992:iesys_cryptossl_get_ecdh_point() Get puby [OK]
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:999:iesys_cryptossl_get_ecdh_point() Get ephemeral key [OK]
debug:esys_crypto:src/tss2-esys/esys_crypto.c:679:iesys_crypto_KDFe() IESYS KDFe hashAlg: 11 label: SECRET bitLength: 256
debug:esys_crypto:src/tss2-esys/esys_crypto.c:682:iesys_crypto_KDFe() partyUInfo (size=32):
Using openssl with the pkcs11.so engine and libtpm2_pkcs11.so.0.0.0 the stack fails at getting the ephemeral key
INFO on line: "434" in file: "src/pkcs11.c": enter "C_OpenSession"
ERROR on line: "98" in file: "src/lib/session.c": Open session with flags 0x4
INFO on line: "434" in file: "src/pkcs11.c": return "C_OpenSession" value: 0
INFO on line: "446" in file: "src/pkcs11.c": enter "C_GetSessionInfo"
INFO on line: "446" in file: "src/pkcs11.c": return "C_GetSessionInfo" value: 0
INFO on line: "458" in file: "src/pkcs11.c": enter "C_Login"
INFO on line: "292" in file: "src/lib/backend_esysdb.c": token parent object handle is 0x40418487
ERROR on line: "355" in file: "src/lib/tpm.c": ------------------------------------------------
ERROR on line: "356" in file: "src/lib/tpm.c": TPM SESSION START
ERROR on line: "357" in file: "src/lib/tpm.c": ------------------------------------------------
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:110:Esys_StartAuthSession()
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:192:Esys_StartAuthSession_Async()
trace:esys:src/tss2-esys/api/Esys_StartAuthSession.c:193:Esys_StartAuthSession_Async() context=0x55931a07f400, tpmKey=40418487, bind=40418487,nonceCaller=(nil), sessionType=00, symmetric=0x7ffc79190ce2,authHash=000b
trace:esys_crypto:src/tss2-esys/esys_crypto.c:34:iesys_crypto_hash_get_digest_size() call: hashAlg=11 size=0x7ffc7918ff10
trace:esys_crypto:src/tss2-esys/esys_crypto.c:59:iesys_crypto_hash_get_digest_size() return: *size=32
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:945:iesys_cryptossl_get_ecdh_point() CURVE 0x19f
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:982:iesys_cryptossl_get_ecdh_point() Get priv key [OK]
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:985:iesys_cryptossl_get_ecdh_point() Get pubx error
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:990:iesys_cryptossl_get_ecdh_point() Get puby error
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:997:iesys_cryptossl_get_ecdh_point() ErrorCode (0x00070001) Get ephemeral key
ERROR:esys:src/tss2-esys/esys_iutil.c:534:iesys_compute_encrypted_salt() During computation of ECC public key. ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:229:Esys_StartAuthSession_Async() Error in parameter encryption. ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:115:Esys_StartAuthSession() Error in async function ErrorCode (0x00070001)
ERROR on line: "388" in file: "src/lib/tpm.c": Esys_StartAuthSession: esapi:Catch all for all errors not otherwise specified
ERROR on line: "295" in file: "src/lib/backend_esysdb.c": Could not start Auth Session with the TPM.
ERROR on line: "249" in file: "src/lib/session_ctx.c": Error unsealing wrapping key
INFO on line: "458" in file: "src/pkcs11.c": return "C_Login" value: 5
I reported this issue a few weeks back but since the issue was not reproduceable using an openssl provider instead of the engine I moved to using the provider. However curl does not support the provider so I am back to fixing this…karmic justice.
Any help/suggestions debugging this will be much appreciated.
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 18 (7 by maintainers)
Commits related to this issue
- translation: EC legacy keys, handle OSSL_PKEY_PARAM_EC_PUB_X,Y requests Required by tpm2-tss to load legacy EC keys using the OpenSSL engine. Fixes: https://github.com/tpm2-software/tpm2-tss/issues/... — committed to ldts/openssl by ldts a year ago
- translation: EC legacy keys, handle OSSL_PKEY_PARAM_EC_PUB_X,Y requests Required by tpm2-tss to load legacy EC keys using the OpenSSL engine. Fixes: https://github.com/tpm2-software/tpm2-tss/issues/... — committed to ldts/openssl by ldts a year ago
- translation: EC legacy keys, handle OSSL_PKEY_PARAM_EC_PUB_X,Y requests Required by tpm2-tss to load legacy EC keys using the OpenSSL engine. Fixes: https://github.com/tpm2-software/tpm2-tss/issues/... — committed to ldts/openssl by ldts a year ago
- translation: EC legacy keys, handle OSSL_PKEY_PARAM_EC_PUB_X,Y requests Required by tpm2-tss to load legacy EC keys using the OpenSSL engine. Fixes: https://github.com/tpm2-software/tpm2-tss/issues/... — committed to ldts/openssl by ldts a year ago
- translation: EC legacy keys, handle OSSL_PKEY_PARAM_EC_PUB_X,Y requests Required by tpm2-tss to load legacy EC keys using the OpenSSL engine. Fixes: https://github.com/tpm2-software/tpm2-tss/issues/... — committed to ldts/openssl by ldts a year ago
- translation: EC legacy keys, handle OSSL_PKEY_PARAM_EC_PUB_X,Y requests Required by tpm2-tss to load legacy EC keys using the OpenSSL engine. Fixes: https://github.com/tpm2-software/tpm2-tss/issues/... — committed to openssl/openssl by ldts a year ago
code has been merged upstream . will close this now
@ldts thanks for the additional information, and the tedious debugging with this good result
Just for completeness, these are the configurations I have tested to generate a CSR, a million mile view diagram - this PR fixing the issue when using the pkcs11 engine instead of the provider which works unchanged
@ldts thanks for the fix. We didn’t know the code was broken. We always welcome users to test the release candidates in their environment and report problems.