Description of problem: ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:328:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) EVP_PKEY_new_mac_key ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1243:iesys_compute_hmac() HMAC error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1341:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_Clear.c:188:Esys_Clear_Async() Error in computation of auth values ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_Clear.c:74:Esys_Clear() Error in async function ErrorCode (0x00070001) Version-Release number of selected component (if applicable): How reproducible: Running the tpm2-tss gating test will hit the failure. Issuing a tpm2 clear command will exercise the code path. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
EVP_PKEY_new_mac_key is deprecated as of 3.0, but should still work.
Jerry, what should QA do here? I don't know how to re-run gating tests. Also not sure what is meant by "Issuing a tpm2 clear command will exercise the code path." - does it work around, or does it reproduce the problem?
tpm2 clear will currently reproduce the problem. It calls into the tpm2-tss libraries and ends up in the code path where this is called and the failure happens.
Taking a quick look at upstream it looks like there is some openssl 3 support code now in the tpm2-tss repo: 362fda1daa39 Implement EVP_PKEY export/import for OpenSSL 3.0 | 2021-08-02 | (Petr Gotthard) 73d25d6834ad Drop support for OpenSSL < 1.1.0 | 2021-08-02 | (Petr Gotthard) aeb5ae44b77a Test: Use EVP_MAC_xxx with OpenSSL 3.0 | 2021-08-02 | (Petr Gotthard) f4f528ffb633 FAPI: Change SHA256_Update to EVP_DigestUpdate | 2021-08-02 | (Petr Gotthard) fdc4f481bb37 Require OpenSSL >= 1.1.0 | 2021-08-02 | (Petr Gotthard) 8fdfadd2dd2d FAPI Test: Change RSA_sign to EVP_PKEY_sign | 2021-07-19 | (Petr Gotthard) 0b24bc2dd260 FAPI Test: Use EVP_PKEY_base_id to detect key type | 2021-07-19 | (Petr Gotthard) c73be98c187c FAPI Test: Call EVP_DigestSignInit in the correct order | 2021-07-19 | (Petr Gotthard) c77edfa0e66a Test: Remove duplicate openssl req -new | 2021-07-19 | (Petr Gotthard) 19684f210ec9 Makefile.am: Use LIBCRYPTO_CFLAGS when building FAPI | 2021-07-19 | (Petr Gotthard) tpm2-tools as well: 318926d05b7d openssl: Replace deprecated X509_get_ by X509_getm_ | 2021-08-09 | (Petr Gotthard) 1b9e4af98693 openssl: Replace SHA256_CTX by EVP_MD_CTX | 2021-08-09 | (Petr Gotthard) 0bd0ea74b84e openssl: Remove unnecesary EVP_CIPHER_CTX and HMAC_CTX wrappers | 2021-08-09 | (Petr Gotthard) e3ba5e1ad87d openssl: Remove functions that have no effect in OpenSSL >= 1.1.0 | 2021-08-09 | (Petr Gotthard) 1e439d8513f0 openssl: Remove support for OpenSSL < 1.1.0 | 2021-08-09 | (Petr Gotthard)
Okay, acking the bug, providing that it easily reproduces with "tpm2_clear".
Could not reproduce with tpm2-tss-3.0.3-1.el9.x86_64 and running tpm2_clear. Devel, could you be more specific on how to reproduce this problem? [root@intel-eaglestream-spr-06 ~]# dmesg -c [root@intel-eaglestream-spr-06 ~]# tpm2_clear [root@intel-eaglestream-spr-06 ~]# dmesg [root@intel-eaglestream-spr-06 ~]# rpm -q tpm2-tools tpm2-tss tpm2-tools-5.0-8.el9.x86_64 tpm2-tss-3.0.3-1.el9.x86_64 [root@intel-eaglestream-spr-06 ~]# uname -r 5.14.0-1.el9.x86_64
Vilem, Did it install tpm2-tss-3.0.3-1.el9 on the system? 3.0.3-1 wasn't built against the openssl 3 library so I'm not quite sure what is going on there. I imagine you could reproduce with the 3.0.3-4.el9 and 3.0.3-5.el9 builds since they were built with openssl3, and 3.0.3-6 should be the fixed build.
Thanks, now I can reproduce, and the fixed version looks okay: # tpm2_clear ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:328:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) EVP_PKEY_new_mac_key ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1243:iesys_compute_hmac() HMAC error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1341:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_Clear.c:188:Esys_Clear_Async() Error in computation of auth values ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_Clear.c:74:Esys_Clear() Error in async function ErrorCode (0x00070001) ERROR: Esys_Clear(0x70001) - esapi:Catch all for all errors not otherwise specified ERROR: Unable to run tpm2_clear # rpm -q tpm2-tools tpm2-tss tpm2-tools-5.0-8.el9.x86_64 tpm2-tss-3.0.3-4.el9.x86_64 # dnf install tpm2-tss-3.0.3-6.el9.x86_64.rpm (...) # rpm -q tpm2-tools tpm2-tss tpm2-tools-5.0-8.el9.x86_64 tpm2-tss-3.0.3-6.el9.x86_64 # dmesg -c # tpm2_clear # dmesg -c #
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: tpm2-tss), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:3895