tss2 not working with OpenSSL-Provider activated #3470
Description
Hey,
I have a websocket connection in python that is encrypted with a TPM (tpm2-openssl).
I enable the TPM for OpenSSL using the OpenSSL Config with the OPENSSL_CONF environment variable.
Now I want to use the FAPI command quote in a python script. (tpm2-pytss)
But I get the following error:
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:981:iesys_cryptossl_get_ecdh_point() ErrorCode (0x00070001) Get ephemeral key
ERROR:esys:src/tss2-esys/esys_iutil.c:534:iesys_compute_encrypted_salt() During computation of ECC public key. ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:226:Esys_StartAuthSession_Async() Error in parameter encryption. ErrorCode (0x00070001)
ERROR:fapi:src/tss2-fapi/fapi_util.c:102:ifapi_get_session_async() Creating session. ErrorCode (0x00070001)
ERROR:fapi:src/tss2-fapi/fapi_util.c:1443:ifapi_get_sessions_finish() ErrorCode (0x00070001) Create FAPI session async
ERROR:fapi:src/tss2-fapi/api/Fapi_Quote.c:349:Fapi_Quote_Finish() ErrorCode (0x00070001) FAPI create session
ERROR:fapi:src/tss2-fapi/api/Fapi_Quote.c:134:Fapi_Quote() ErrorCode (0x00070001) PCR_Quote
Traceback (most recent call last):
File "/home/gateway/gateway/gateway.py", line 163, in <module>
asyncio.run(main())
File "/usr/lib/python3.11/asyncio/runners.py", line 190, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/home/gateway/gateway/gateway.py", line 157, in main
await asyncio.gather(
File "/home/gateway/gateway/gateway.py", line 110, in receive_from_data_center
info, signature, pcr_log, certificate = attester.get_quote(nonce, pcrs=[5, 6, 7, 8, 9])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/gateway/gateway/attester.py", line 44, in get_quote
info, signature, pcr_log, certificate = self.fapi_client.quote(
^^^^^^^^^^^^^^^^^^^^^^^
File "/home/gateway/.virtualenvs/demonstrator-gateway/lib/python3.11/site-packages/tpm2_pytss/FAPI.py", line 1055, in quote
_chkrc(ret)
File "/home/gateway/.virtualenvs/demonstrator-gateway/lib/python3.11/site-packages/tpm2_pytss/internal/utils.py", line 176, in _chkrc
raise TSS2_Exception(rc)
tpm2_pytss.TSS2_Exception.TSS2_Exception: esapi:Catch all for all errors not otherwise specified
When I try to use the FAPI from the command line with e.g. tss2 getrandom -n 4 -o -, I get the same error.
But if I don't use the OPENSSL_CONF environment variable with my changed configuration, the FAPI command works.
The only thing I have changed in the configuration is the activation of the TPM.
[openssl_init]
providers = provider_sect
ssl_conf = ssl_sect
alg_section = alg_sect
[alg_sect]
default_properties = ?provider=tpm2
# List of providers to load
[provider_sect]
default = default_sect
tpm2 = tpm2_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect
# If no providers are activated explicitly, the default one is activated implicitly.
# See man 7 OSSL_PROVIDER-default for more details.
#
# If you add a section explicitly activating any other provider(s), you most
# probably need to explicitly activate the default provider, otherwise it
# becomes unavailable in openssl. As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
activate = 1
[tpm2_sect]
activate = 1
Either there is a problem in the interaction with FAPI and OpenSSL or I am doing something wrong. Maybe someone can help me with this.
VERSIONS
tpm2-abrmd: 3.0.0
tpm2-openssl: 1.2.0
tpm2-tools: 5.6
tpm2-tss: 4.0.1
TPM: Evaluation board OPTIGA TPM SLM 9670 Iridium board
OpenSSL: 3.0.15