tpm2-openssl icon indicating copy to clipboard operation
tpm2-openssl copied to clipboard

Published 20 hours ago verified publisher icon tpm2-software

TPM2 Provider - OpenSSL s_server Fails to Read Password from -pass Option

Open gnsaddy opened this issue 10 months ago • 1 comments

When using the TPM2 provider with OpenSSL s_server to load a private key from a TPM handle, the s_server command fails to process the password provided through the -pass option. This results in a signing error and ultimately fails the SSL handshake.

Steps to Reproduce:

Store a private key in the TPM under handle 0x81000007.

Run the following OpenSSL s_server command:

openssl s_server -provider tpm2 -provider default -propquery '?provider=tpm2' -accept 12345 -cert ./leaf.cert.pem -key handle:0x81000007 -CAfile ./certs.crt -pass pass:123456

Observe that the password provided via -pass is not properly processed, resulting in TPM authorization failure.

Expected Behavior: The -pass option should pass the password correctly to the TPM2 provider, allowing successful authorization and SSL handshake.

Actual Behavior: The following errors occur during execution:

PROVIDER INIT
STORE/OBJECT OPEN handle:0x81000007
STORE/OBJECT SET_PARAMS [ properties ]
STORE/OBJECT SET_PARAMS [ expect ]
STORE/OBJECT LOAD
STORE/OBJECT LOAD pkey
STORE/OBJECT LOAD found RSA
RSA LOAD
RSA GET_PARAMS [ bits security-bits max-size ]
RSA HAS 1
STORE/OBJECT CLOSE
RAND NEW
RAND NEW
RAND GET_CTX_PARAMS [ max_request ]
RAND GENERATE
DER DECODER DECODE
RSA IMPORT [ n e ]
ACCEPT
SIGN DIGEST_INIT rsa MD=SHA256
WARNING:esys:src/tss2-esys/api/Esys_Sign.c:311:Esys_Sign_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Sign.c:105:Esys_Sign() Esys Finish ErrorCode (0x0000098e)
ERROR
801B1F0BD97C0000:error:4000000F:tpm2:tpm2_signature_digest_sign:cannot sign:src/tpm2-provider-signature.c:498:2446 tpm:session(1):the authorization HMAC check failed and DA counter incremented
801B1F0BD97C0000:error:0A080006:SSL routines:tls_construct_cert_verify:EVP lib:../ssl/statem/statem_lib.c:361:
shutting down SSL
CONNECTION CLOSED

Analysis:

The error 0x0000098e indicates an HMAC authorization failure, suggesting that the password was not passed correctly. The TPM provider does not appear to handle the -pass option properly when loading the key by handle.

Environment:

OpenSSL Version: 3.0.2 TPM2-Openssl Commit: master TPM Software Stack: [Provide version of tpm2-tss and tpm2-tools] Operating System: Ubuntu 22.04

Additional Information: Relevant code section in tpm2-provider-signature.c: https://github.com/tpm2-software/tpm2-openssl/blame/04b2520873ce02fa6a8b64081633ecc879dee127/src/tpm2-provider-signature.c#L505

gnsaddy avatar Jan 07 '25 19:01 gnsaddy