ENGINE_init fails on TPM engine
openssl version: *1.0.1e* During reboot, the following code is used to set up the tpm engine: ENGINE_load_builtin_engines(); e = ENGINE_by_id("tpm"); if(!e) { /* the engine isn't available */ ERR("ENGINE_by_id failed."); ERR_print_errors_fp(stderr); return CU_ERROR; } if (!ENGINE_init(e)) { int err_num = ERR_get_error(); char buf[128] = {0}; *ERR("ENGINE_init failed.");*printf("ENGINE_init error: %s\n", ERR_error_string(err_num, buf)); return CU_ERROR; } What happens is that ENGINE_init(e) fails sometimes (not always) with the following error: *ENGINE_init error: error::lib(0):func(0):reason(0)* There is no race condition in this case as far as I can tell. Is this a bug in this version of openSSL? Thanks, Joe
[openssl-users] SSL Handshake with TPM using TPM Engine
Hi All, *SSL handshake with TPM using TPM Engine: *I am generating the RSA keys in TPM and private key will never come out from TPM I want to do SSL handshake with this scenario. Can you please point out me in SSL handshake which functions are using the RSA private key? So that, I can register those functions in TPM Engine to perform RSA private key related operation. Is there any reference implementation for SSL handshake using TPM via TPM Engine? Regards, Digant -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] openssl-tpm-engine
Hi, I'm experimenting a bit with the tpm engine (openssl_tpm_engine-0.4.2). My objective is to see how easy it is use this engine with openssl-1.0.1. Since the README file states that openssl-0.9.8 is a requirement I started using that openssl version. However, I have tried to use the tpm engine with three different openssl-0.9.8 versions, but all three crashes with different call stacks, when using the basic example from the README file (Create a self-signed cert using the TPM engine). I'm starting to suspect that I have overseen something fundamental. Is the openssl-tpm-engine supposed to work on 64 bit machines? Or is there something else I need to consider? Below is some additional info on the crashes I'm seeing. All crashes are for step 2, openssl req -keyform engine -engine tpm -key keyfilename -new -x509 -days 365 -out certfilename openssl-0.9.8zb: 0 in BN_num_bits of bn_lib.c:232 1 in bn_i2c of x_bignum.c:117 2 in asn1_ex_i2c of tasn_enc.c:582 3 in asn1_i2d_ex_primitive of tasn_enc.c:523 4 in ASN1_item_ex_i2d of tasn_enc.c:154 5 in asn1_template_ex_i2d of tasn_enc.c:413 6 in ASN1_item_ex_i2d of tasn_enc.c:231 7 in asn1_item_flags_i2d of tasn_enc.c:122 8 in ASN1_item_i2d of tasn_enc.c:91 9 in i2d_RSAPublicKey of rsa_asn1.c:111 10 in i2d_PublicKey of i2d_pu.c:80 11 in X509_PUBKEY_set of x_pubkey.c:223 12 in X509_REQ_set_pubkey of x509rset.c:81 13 in make_REQ of req.c:1257 14 in req_main of req.c:914 15 in do_cmd of openssl.c:400 16 in main of openssl.c:318 openssl-0.9.8x: 0 in raise of /lib/x86_64-linux-gnu/libc.so.6 1 in abort of /lib/x86_64-linux-gnu/libc.so.6 2 in ?? of /lib/x86_64-linux-gnu/libc.so.6 3 in ?? of /lib/x86_64-linux-gnu/libc.so.6 4 in CRYPTO_free of mem.c:406 5 in asn1_item_combine_free of tasn_fre.c:176 6 in ASN1_item_free of tasn_fre.c:71 7 in X509_ATTRIBUTE_free of x_attrib.c:96 8 in sk_pop_free of stack.c:290 9 in EVP_PKEY_free of p_lib.c:468 10 in req_main of req.c:1183 11 in do_cmd of openssl.c:400 12 in main of openssl.c:318 I also tried openssl-0.9.8, but I didn't save the call stack of that crash. I'm using ubuntu 14.04. Regards Roger ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: TPM engine
thanks some detail just in case: i was actually able to get it to link and invoke the engine functions. when trying to sign data, the call would fail because the pkey structure was not correctly filled out by the engine, the field ameth in the structure is left NULL. if i try the same call against the openssl 0.9.8 branch, the call correctly works with the trousers TPM engine. cheers -nicholas *Nicholas Wehr *Senior Software Engineer PRIMA Cinema, Inc. 1903 Wright Pl Suite 320 Carlsbad, CA 92008 email: nicholas.w...@primacinema.com m 616.425.9347 On Tue, May 3, 2011 at 8:04 AM, Kenneth Goldman kgold...@us.ibm.com wrote: I'd try a trousers mailing list as well. I just compiled trousers and linked with openssl 1.0.0 and it works. But I didn't try the TPM engine, which I understand to be a layer on top of trousers. Did you 'discover' that it doesn't work through documentation or did you try to link. My experience is that most openssl linker errors and runtime segfaults are due to mixing different versions of openssl on a platform. openssl releases often break binary compatibility. owner-openssl-us...@openssl.org wrote on 05/02/2011 08:32:38 PM: From: Nicholas Wehr openssl-develop...@primacinema.com To: openssl-users@openssl.org Date: 05/02/2011 08:36 PM We're looking at using the Trousers stack for the backend of openssl in order to : provide access to an RSA key stored within the TPM use the TPM crypto funtions We've now discovered that the Trousers engine (libengine_tpm_openssl) does not work with the 1.0.0 branch of openssl. What are you doing to integrate your TPM? Is there a Trousers alternative? Is there a modification/patch available to get the 1.0.0 to address the issue? http://sourceforge.net/projects/trousers/files/OpenSSL%20TPM% 20Engine/0.4.1/openssl_tpm_engine-0.4.1.tar.gz/download Thanks! -nicholas
Re: TPM engine
On Tue, May 03, 2011, Nicholas Wehr wrote: thanks some detail just in case: i was actually able to get it to link and invoke the engine functions. when trying to sign data, the call would fail because the pkey structure was not correctly filled out by the engine, the field ameth in the structure is left NULL. if i try the same call against the openssl 0.9.8 branch, the call correctly works with the trousers TPM engine. That suggests that an EVP_PKEY structure is being initialised incorrectly. In previous versions of OpenSSL an application could (but it was strongly advised against) manually set the pkey-pkey.rsa structure and type. If the function EVP_PKEY_assign_RSA() is used this should resolve that issue: that function exists in OpenSSL 0.9.8 too so it should work in both versions. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TPM engine
I'd try a trousers mailing list as well. I just compiled trousers and linked with openssl 1.0.0 and it works. But I didn't try the TPM engine, which I understand to be a layer on top of trousers. Did you 'discover' that it doesn't work through documentation or did you try to link. My experience is that most openssl linker errors and runtime segfaults are due to mixing different versions of openssl on a platform. openssl releases often break binary compatibility. owner-openssl-us...@openssl.org wrote on 05/02/2011 08:32:38 PM: From: Nicholas Wehr openssl-develop...@primacinema.com To: openssl-users@openssl.org Date: 05/02/2011 08:36 PM We're looking at using the Trousers stack for the backend of openssl in order to : provide access to an RSA key stored within the TPM use the TPM crypto funtions We've now discovered that the Trousers engine (libengine_tpm_openssl) does not work with the 1.0.0 branch of openssl. What are you doing to integrate your TPM? Is there a Trousers alternative? Is there a modification/patch available to get the 1.0.0 to address the issue? http://sourceforge.net/projects/trousers/files/OpenSSL%20TPM% 20Engine/0.4.1/openssl_tpm_engine-0.4.1.tar.gz/download Thanks! -nicholas
TPM engine
Hello group, We're looking at using the Trousers stack for the backend of openssl in order to : - provide access to an RSA key stored within the TPM - use the TPM crypto funtions We've now discovered that the Trousers engine (libengine_tpm_openssl) does not work with the 1.0.0 branch of openssl. What are you doing to integrate your TPM? Is there a Trousers alternative? Is there a modification/patch available to get the 1.0.0 to address the issue? http://sourceforge.net/projects/trousers/files/OpenSSL%20TPM%20Engine/0.4.1/openssl_tpm_engine-0.4.1.tar.gz/download Thanks! -nicholas