tpm2-software / tpm2-tss-engine

OpenSSL Engine for TPM2 devices
https://tpm2-software.github.io
BSD 3-Clause "New" or "Revised" License
151 stars 100 forks source link

ErrorCode (0x000002d2) during mTLS connection with tls1.2 #282

Open nyi2thwin opened 7 months ago

nyi2thwin commented 7 months ago

Hi,

I have an issue with using tss engine when server is configure to be tls1.2 for both min max value. Look like during SSL negotiation it is trying to use the Signature Algorithm that client's tpm key doesn't support and failed with WARNING:esys:src/tss2-esys/api/Esys_Sign.c:311:Esys_Sign_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Sign.c:105:Esys_Sign() Esys Finish ErrorCode (0x000002d2) If we set -sigalgs to be ECDSA+SHA384 only then it works fine.

Expected behaviors: It should only negotiate the Signature Algorithm that client's tpm key support.

openssl s_client log:

engine "tpm2tss" set.
CONNECTED(00000003)
depth=1 O = EDGE, CN = ece.eo.edge.com
verify return:1
depth=0 CN = mtls.internal.use.only
verify return:1
WARNING:esys:src/tss2-esys/api/Esys_Sign.c:311:Esys_Sign_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Sign.c:105:Esys_Sign() Esys Finish ErrorCode (0x000002d2)
140264726453312:error:8007806D:tpm2-tss-engine:ecdsa_sign:Unknown TPM error occurred. Please check tpm2tss logs:src/tpm2-tss-engine-ecc.c:252:
140264726453312:error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib:ssl/statem/statem_lib.c:308:
---
Certificate chain
 0 s:CN = mtls.internal.use.only
   i:O = EDGE, CN = ece.eo.edge.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICHjCCAcSgAwIBAgIUS/9k7JvvvzeljVSBb8RrwAU79oEwCgYIKoZIzj0EAwIw
MzESMBAGA1UEChMJREVMTC1FREdFMR0wGwYDVQQDExRlY2UuZW8uZWRnZS5kZWxs
LmNvbTAgFw0yNDAyMTYxMTE1MjdaGA8yMDU0MDIwODExMDczMFowJjEkMCIGA1UE
AxMbbXRscy5lZGdlLmludGVybmFsLnVzZS5vbmx5MFkwEwYHKoZIzj0CAQYIKoZI
...
...
BgNVHREERTBDghttdGxzLmVkZ2UuaW50ZXJuYWwudXNlLm9ubHmCJG10bHMucmVj
b3ZlcnkuZWRnZS5pbnRlcm5hbC51c2Uub25seTAKBggqhkjOPQQDAgNIADBFAiAk
WcgX5Nf4nH4390bfC0DsJxnh9v1v6IZNvfEJ6/JimAIhAK3vKmZUeMMwlu9acH5f
IEbx1+KbT326tSZKQqkrJUUO
-----END CERTIFICATE-----
subject=CN = mtls.internal.use.only

issuer=O = EDGE, CN = ece.eo.edge.com

---
Acceptable client certificate CA names
O = EDGE, CN = ece.eo.edge.com
Client Certificate Types: RSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512:RSA+SHA1
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 846 bytes and written 1433 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key: E1B6270012A8850DD033A4E050702F8FF46017507853582D19AF5BA77BBA2E019B00D8CAE7A71A8A63C1BE0E9A653975
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1713497002
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

Full tss engine debug log:

debug:marshal:src/tss2-mu/tpm2b-types.c:304:Tss2_MU_TPM2B_DIGEST_Marshal() offset parameter non-NULL, updated t
debug:tcti:src/tss2-tcti/tcti-device.c:114:tcti_device_transmit() sending 121 byte command buffer: (size=121):
0000: 8002000000790000015d810000010000  .....y...]......
0010: 00094000000900000000000020594783  ..@..........YG.
0020: 96209e6ae6b994df04d643600aa259e2  ...j......C`..Y.
0030: a1a50da0e4c8e89103fac9d28a001800  ................
0040: 0b8024400000010030695f311d34dfe9  ..$@....0i_1.4..
0050: feed485568be98f6633a3dfbb2879410  ..HUh...c:=.....
0060: 81efea7d1eb33872d4616fe2bfab2894  ...}..8r.ao...(.
0070: fe4e209158a875773b                .N..X.uw;
debug:tcti:src/util/io.c:94:write_all() writing 121 bytes starting at 0x55d1ca9a7f80 to fd 4
debug:tcti:src/util/io.c:108:write_all() wrote 121 bytes to fd 4
debug:tcti:src/tss2-tcti/tcti-device.c:183:tcti_device_receive() Partial read - reading response size
debug:tcti:src/tss2-tcti/tcti-device.c:203:tcti_device_receive() Partial read - received header
debug:marshal:src/tss2-mu/base-types.c:174:Tss2_MU_UINT32_Unmarshal() Unmarshaling UINT32 from 0x7ffd87e22c4e t0x7ffd87e22c34 at index 0x2
debug:marshal:src/tss2-mu/base-types.c:174:Tss2_MU_UINT32_Unmarshal() offset parameter non-NULL, updated to 6
debug:tcti:src/tss2-tcti/tcti-device.c:216:tcti_device_receive() Partial read - received response size 10.
debug:marshal:src/tss2-mu/base-types.c:180:Tss2_MU_TPM2_ST_Unmarshal() Unmarshaling TPM2_ST from 0x55d1ca9a7f80r 0x55d1ca9a7f4e at index 0x0
debug:marshal:src/tss2-mu/base-types.c:180:Tss2_MU_TPM2_ST_Unmarshal() offset parameter non-NULL, updated to 2
debug:marshal:src/tss2-mu/base-types.c:174:Tss2_MU_UINT32_Unmarshal() Unmarshaling UINT32 from 0x55d1ca9a7f80 t0x55d1ca9a7f50 at index 0x2
debug:marshal:src/tss2-mu/base-types.c:174:Tss2_MU_UINT32_Unmarshal() offset parameter non-NULL, updated to 6
debug:marshal:src/tss2-mu/base-types.c:174:Tss2_MU_UINT32_Unmarshal() Unmarshaling UINT32 from 0x55d1ca9a7f80 t0x55d1ca9a7f54 at index 0x6
debug:marshal:src/tss2-mu/base-types.c:174:Tss2_MU_UINT32_Unmarshal() offset parameter non-NULL, updated to 10
WARNING:esys:src/tss2-esys/api/Esys_Sign.c:311:Esys_Sign_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Sign.c:105:Esys_Sign() Esys Finish ErrorCode (0x000002d2)