ENGINE_init fails on TPM engine

2019-10-16 Thread Yichun Ding 
openssl version: *1.0.1e*

During reboot, the following code is used to set up the tpm engine:

   ENGINE_load_builtin_engines();
e = ENGINE_by_id("tpm");
if(!e) {
/* the engine isn't available */
ERR("ENGINE_by_id failed.");
ERR_print_errors_fp(stderr);
return CU_ERROR;
}

if (!ENGINE_init(e)) {
int err_num = ERR_get_error();
char buf[128] = {0};

*ERR("ENGINE_init failed.");*printf("ENGINE_init error:
%s\n", ERR_error_string(err_num, buf));
return CU_ERROR;
}

What happens is that ENGINE_init(e) fails sometimes (not always) with the
following error:

*ENGINE_init error: error::lib(0):func(0):reason(0)*

There is no race condition in this case as far as I can tell.

Is this a bug in this version of openSSL?

Thanks,
Joe

[openssl-users] SSL Handshake with TPM using TPM Engine

2017-12-04 Thread Devang Kubavat 
Hi All,



*SSL handshake with TPM using TPM Engine: *I am generating the RSA keys in
TPM and private key will never come out from TPM

I want to do SSL handshake with this scenario.
Can you please point out me in SSL handshake which functions are using the
RSA private key? So that, I can register those functions in TPM Engine to
perform RSA private key related operation.

Is there any reference implementation for SSL handshake using TPM via TPM
Engine?

Regards,
Digant
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] openssl-tpm-engine

2015-03-03 Thread Roger No-Spam 
Hi,

I'm
 experimenting a bit with the tpm engine (openssl_tpm_engine-0.4.2). My 
objective is to see how easy it is use this engine with openssl-1.0.1. 
Since the README file states that openssl-0.9.8 is a requirement I 
started using that openssl version. However, I have tried to use the tpm
 engine with three different openssl-0.9.8 versions, but all three 
crashes with different call stacks, when using the basic example from 
the README file (Create a self-signed cert using the TPM engine). I'm 
starting to suspect that I have overseen something fundamental. Is the 
openssl-tpm-engine supposed to work on 64 bit machines? Or is there 
something else I need to consider?

Below is some additional info on the crashes I'm seeing. All crashes are for 
step 2, 
openssl req -keyform engine -engine tpm -key keyfilename -new -x509 -days 365 
-out certfilename

openssl-0.9.8zb:
0  in BN_num_bits of bn_lib.c:232
1  in bn_i2c of x_bignum.c:117
2  in asn1_ex_i2c of tasn_enc.c:582
3  in asn1_i2d_ex_primitive of tasn_enc.c:523
4  in ASN1_item_ex_i2d of tasn_enc.c:154
5  in asn1_template_ex_i2d of tasn_enc.c:413
6  in ASN1_item_ex_i2d of tasn_enc.c:231
7  in asn1_item_flags_i2d of tasn_enc.c:122
8  in ASN1_item_i2d of tasn_enc.c:91
9  in i2d_RSAPublicKey of rsa_asn1.c:111
10 in i2d_PublicKey of i2d_pu.c:80
11 in X509_PUBKEY_set of x_pubkey.c:223
12 in X509_REQ_set_pubkey of x509rset.c:81
13 in make_REQ of req.c:1257
14 in req_main of req.c:914
15 in do_cmd of openssl.c:400
16 in main of openssl.c:318

openssl-0.9.8x:
0  in raise of /lib/x86_64-linux-gnu/libc.so.6
1  in abort of /lib/x86_64-linux-gnu/libc.so.6
2  in ?? of /lib/x86_64-linux-gnu/libc.so.6
3  in ?? of /lib/x86_64-linux-gnu/libc.so.6
4  in CRYPTO_free of mem.c:406
5  in asn1_item_combine_free of tasn_fre.c:176
6  in ASN1_item_free of tasn_fre.c:71
7  in X509_ATTRIBUTE_free of x_attrib.c:96
8  in sk_pop_free of stack.c:290
9  in EVP_PKEY_free of p_lib.c:468
10 in req_main of req.c:1183
11 in do_cmd of openssl.c:400
12 in main of openssl.c:318

I also tried openssl-0.9.8, but I didn't save the call stack of that crash.

I'm using ubuntu 14.04.

Regards Roger

  


  ___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: TPM engine

2011-05-04 Thread Nicholas Wehr 
thanks

some detail just in case:

i was actually able to get it to link and invoke the engine functions. when
trying to sign data, the call would fail because the pkey structure was not
correctly filled out by the engine, the field ameth in the structure is
left NULL.

if i try the same call against the openssl 0.9.8 branch, the call correctly
works with the trousers TPM engine.

cheers
-nicholas


*Nicholas Wehr
*Senior Software Engineer
PRIMA Cinema, Inc.
1903 Wright Pl
Suite 320
Carlsbad, CA 92008
email: nicholas.w...@primacinema.com
m 616.425.9347


On Tue, May 3, 2011 at 8:04 AM, Kenneth Goldman kgold...@us.ibm.com wrote:

 I'd try a trousers mailing list as well.

 I just compiled trousers and linked with openssl 1.0.0 and it works.  But I
 didn't try the TPM engine, which I understand to be a layer on top of
 trousers.

 Did you 'discover' that it doesn't work through documentation or did you
 try to link.  My experience is that most openssl linker errors and runtime
 segfaults are due to mixing different versions of openssl on a platform.
  openssl releases often break binary compatibility.

 owner-openssl-us...@openssl.org wrote on 05/02/2011 08:32:38 PM:

  From: Nicholas Wehr openssl-develop...@primacinema.com
  To: openssl-users@openssl.org
  Date: 05/02/2011 08:36 PM
 
  We're looking at using the Trousers stack for the backend of openssl
  in order to :
  provide access to an RSA key stored within the TPM
  use the TPM crypto funtions
  We've now discovered that the Trousers engine
  (libengine_tpm_openssl) does not work with the 1.0.0 branch of
  openssl. What are you doing to integrate your TPM? Is there a
  Trousers alternative? Is there a modification/patch available to get
  the 1.0.0 to address the issue?
 
  http://sourceforge.net/projects/trousers/files/OpenSSL%20TPM%
  20Engine/0.4.1/openssl_tpm_engine-0.4.1.tar.gz/download
 
  Thanks!
  -nicholas

Re: TPM engine

2011-05-04 Thread Dr. Stephen Henson 
On Tue, May 03, 2011, Nicholas Wehr wrote:

 thanks
 
 some detail just in case:
 
 i was actually able to get it to link and invoke the engine functions. when
 trying to sign data, the call would fail because the pkey structure was not
 correctly filled out by the engine, the field ameth in the structure is
 left NULL.
 
 if i try the same call against the openssl 0.9.8 branch, the call correctly
 works with the trousers TPM engine.
 

That suggests that an EVP_PKEY structure is being initialised incorrectly. In
previous versions of OpenSSL an application could (but it was strongly advised
against) manually set the pkey-pkey.rsa structure and type.

If the function EVP_PKEY_assign_RSA() is used this should resolve that issue:
that function exists in OpenSSL 0.9.8 too so it should work in both versions.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: TPM engine

2011-05-03 Thread Kenneth Goldman 
I'd try a trousers mailing list as well.

I just compiled trousers and linked with openssl 1.0.0 and it works.  But 
I didn't try the TPM engine, which I understand to be a layer on top of 
trousers.

Did you 'discover' that it doesn't work through documentation or did you 
try to link.  My experience is that most openssl linker errors and runtime 
segfaults are due to mixing different versions of openssl on a platform. 
openssl releases often break binary compatibility.

owner-openssl-us...@openssl.org wrote on 05/02/2011 08:32:38 PM:

 From: Nicholas Wehr openssl-develop...@primacinema.com
 To: openssl-users@openssl.org
 Date: 05/02/2011 08:36 PM
 
 We're looking at using the Trousers stack for the backend of openssl
 in order to :
 provide access to an RSA key stored within the TPM
 use the TPM crypto funtions
 We've now discovered that the Trousers engine 
 (libengine_tpm_openssl) does not work with the 1.0.0 branch of 
 openssl. What are you doing to integrate your TPM? Is there a 
 Trousers alternative? Is there a modification/patch available to get
 the 1.0.0 to address the issue?
 
 http://sourceforge.net/projects/trousers/files/OpenSSL%20TPM%
 20Engine/0.4.1/openssl_tpm_engine-0.4.1.tar.gz/download
 
 Thanks!
 -nicholas

TPM engine

2011-05-02 Thread Nicholas Wehr 
Hello group,

We're looking at using the Trousers stack for the backend of openssl in
order to :

   - provide access to an RSA key stored within the TPM
   - use the TPM crypto funtions

We've now discovered that the Trousers engine (libengine_tpm_openssl) does
not work with the 1.0.0 branch of openssl. What are you doing to integrate
your TPM? Is there a Trousers alternative? Is there a modification/patch
available to get the 1.0.0 to address the issue?

http://sourceforge.net/projects/trousers/files/OpenSSL%20TPM%20Engine/0.4.1/openssl_tpm_engine-0.4.1.tar.gz/download

Thanks!
-nicholas