Bug 1984634
| Summary: | Call to EVP_PKEY_new_mac_key() fails with move to openssl 3.0 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Jerry Snitselaar <jsnitsel> |
| Component: | tpm2-tss | Assignee: | Štěpán Horáček <shoracek> |
| Status: | CLOSED ERRATA | QA Contact: | Vilém Maršík <vmarsik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.0 | CC: | bhu, core-kernel-mgr, dbohanno, rvr, shoracek, skozina, vmarsik, ykopkova |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 9.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | tpm2-tss-3.0.3-6.el9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-17 15:36:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jerry Snitselaar
2021-07-21 19:44:07 UTC
EVP_PKEY_new_mac_key is deprecated as of 3.0, but should still work. Jerry, what should QA do here? I don't know how to re-run gating tests. Also not sure what is meant by "Issuing a tpm2 clear command will exercise the code path." - does it work around, or does it reproduce the problem? tpm2 clear will currently reproduce the problem. It calls into the tpm2-tss libraries and ends up in the code path where this is called and the failure happens. Taking a quick look at upstream it looks like there is some openssl 3 support code now in the tpm2-tss repo: 362fda1daa39 Implement EVP_PKEY export/import for OpenSSL 3.0 | 2021-08-02 | (Petr Gotthard) 73d25d6834ad Drop support for OpenSSL < 1.1.0 | 2021-08-02 | (Petr Gotthard) aeb5ae44b77a Test: Use EVP_MAC_xxx with OpenSSL 3.0 | 2021-08-02 | (Petr Gotthard) f4f528ffb633 FAPI: Change SHA256_Update to EVP_DigestUpdate | 2021-08-02 | (Petr Gotthard) fdc4f481bb37 Require OpenSSL >= 1.1.0 | 2021-08-02 | (Petr Gotthard) 8fdfadd2dd2d FAPI Test: Change RSA_sign to EVP_PKEY_sign | 2021-07-19 | (Petr Gotthard) 0b24bc2dd260 FAPI Test: Use EVP_PKEY_base_id to detect key type | 2021-07-19 | (Petr Gotthard) c73be98c187c FAPI Test: Call EVP_DigestSignInit in the correct order | 2021-07-19 | (Petr Gotthard) c77edfa0e66a Test: Remove duplicate openssl req -new | 2021-07-19 | (Petr Gotthard) 19684f210ec9 Makefile.am: Use LIBCRYPTO_CFLAGS when building FAPI | 2021-07-19 | (Petr Gotthard) tpm2-tools as well: 318926d05b7d openssl: Replace deprecated X509_get_ by X509_getm_ | 2021-08-09 | (Petr Gotthard) 1b9e4af98693 openssl: Replace SHA256_CTX by EVP_MD_CTX | 2021-08-09 | (Petr Gotthard) 0bd0ea74b84e openssl: Remove unnecesary EVP_CIPHER_CTX and HMAC_CTX wrappers | 2021-08-09 | (Petr Gotthard) e3ba5e1ad87d openssl: Remove functions that have no effect in OpenSSL >= 1.1.0 | 2021-08-09 | (Petr Gotthard) 1e439d8513f0 openssl: Remove support for OpenSSL < 1.1.0 | 2021-08-09 | (Petr Gotthard) Okay, acking the bug, providing that it easily reproduces with "tpm2_clear". Could not reproduce with tpm2-tss-3.0.3-1.el9.x86_64 and running tpm2_clear. Devel, could you be more specific on how to reproduce this problem? [root@intel-eaglestream-spr-06 ~]# dmesg -c [root@intel-eaglestream-spr-06 ~]# tpm2_clear [root@intel-eaglestream-spr-06 ~]# dmesg [root@intel-eaglestream-spr-06 ~]# rpm -q tpm2-tools tpm2-tss tpm2-tools-5.0-8.el9.x86_64 tpm2-tss-3.0.3-1.el9.x86_64 [root@intel-eaglestream-spr-06 ~]# uname -r 5.14.0-1.el9.x86_64 Vilem, Did it install tpm2-tss-3.0.3-1.el9 on the system? 3.0.3-1 wasn't built against the openssl 3 library so I'm not quite sure what is going on there. I imagine you could reproduce with the 3.0.3-4.el9 and 3.0.3-5.el9 builds since they were built with openssl3, and 3.0.3-6 should be the fixed build. Thanks, now I can reproduce, and the fixed version looks okay: # tpm2_clear ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:328:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) EVP_PKEY_new_mac_key ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1243:iesys_compute_hmac() HMAC error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1341:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_Clear.c:188:Esys_Clear_Async() Error in computation of auth values ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_Clear.c:74:Esys_Clear() Error in async function ErrorCode (0x00070001) ERROR: Esys_Clear(0x70001) - esapi:Catch all for all errors not otherwise specified ERROR: Unable to run tpm2_clear # rpm -q tpm2-tools tpm2-tss tpm2-tools-5.0-8.el9.x86_64 tpm2-tss-3.0.3-4.el9.x86_64 # dnf install tpm2-tss-3.0.3-6.el9.x86_64.rpm (...) # rpm -q tpm2-tools tpm2-tss tpm2-tools-5.0-8.el9.x86_64 tpm2-tss-3.0.3-6.el9.x86_64 # dmesg -c # tpm2_clear # dmesg -c # Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: tpm2-tss), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:3895 |