[tpm2] TPM2TSS engine for OpenSSL

[tpm2] TPM2TSS engine for OpenSSL

[Fuchs, Andreas]

[-- Attachment #1: Type: text/plain, Size: 577 bytes --]

Hi all,

I just wanted to announce that we pushed a new crypto engine for OpenSSL using the tpm2-tss software stack.
It is licensed under the BSD 3-clause license.
It currently includes RSA sign, RSA decrypt and ECDSA with TPM generated keys.
It uses ESAPI/ESYS (so it's a good usage example) and thus relies on the 2.0 series of tpm2-tss.
I'd like to see some testing and bug reports if you don't mind.

You can find the project here: https://github.com/tpm2-software/tpm2-tss-engine

Big thanks to Infineon for sponsoring this work !

Best regards,
Andreas Fuchs

Re: [tpm2] TPM2TSS engine for OpenSSL

[Joshua Lock]

[-- Attachment #1: Type: text/plain, Size: 1919 bytes --]

Hi Andreas,

On Wed, 2018-06-13 at 10:16 +0000, Fuchs, Andreas wrote:
> Hi all,
> 
> I just wanted to announce that we pushed a new crypto engine for
> OpenSSL using the tpm2-tss software stack.
> It is licensed under the BSD 3-clause license.
> It currently includes RSA sign, RSA decrypt and ECDSA with TPM
> generated keys.
> It uses ESAPI/ESYS (so it's a good usage example) and thus relies on
> the 2.0 series of tpm2-tss.
> I'd like to see some testing and bug reports if you don't mind.

What version of openssl was this developed for/tested against?

On Fedora 28:
$ openssl version
OpenSSL 1.1.0h-fips  27 Mar 2018
$ OPENSSL_ENGINES=/usr/local/lib/openssl/engines/ openssl engine -t -c
tpm2tss
140349824665408:error:25066067:DSO support routines:dlfcn_load:could
not load the shared
library:crypto/dso/dso_dlfcn.c:113:filename(/usr/local/lib/openssl/engi
nes/tpm2tss.so): /usr/local/lib/openssl/engines/tpm2tss.so: cannot open
shared object file: No such file or directory
140349824665408:error:25070067:DSO support routines:DSO_load:could not
load the shared library:crypto/dso/dso_lib.c:161:
140349824665408:error:260B6084:engine routines:dynamic_load:dso not
found:crypto/engine/eng_dyn.c:414:
140349824665408:error:2606A074:engine routines:ENGINE_by_id:no such
engine:crypto/engine/eng_list.c:341:id=tpm2tss

I see similar on Ubuntu 18.04.1 LTS:
$ openssl version
OpenSSL 1.1.0g 2 Nov 2017

but on Ubuntu 16.04.5 LTS the engine loads as expected:
$ openssl version
OpenSSL 1.0.2g 1 Mar 2016
$ OPENSSL_ENGINES=/usr/local/lib/openssl/engines openssl engine -t
-c tpm2tss
(tpm2tss) TPM2-TSS engine for OpenSSL
 [RSA, RAND]
     [ available ]

Along with fixing the engine to work with newer OpenSSL (it looks like
1.1.1 is in Beta) I think we might want/need to get a lot stricter with
the version specifier in the PKG_CHECK_MODULES call.

Thanks,
Joshua

Re: [tpm2] TPM2TSS engine for OpenSSL

[Fuchs, Andreas]

[-- Attachment #1: Type: text/plain, Size: 2484 bytes --]

Hi Joshua,

the engine is tested against openssl 1.0.2 and 1.1.0 using travis ci, see https://github.com/tpm2-software/tpm2-tss-engine/blob/master/.travis.yml

The fedora-info looks strange, since is says "No such file or directory".
Could you check that  /usr/local/lib/openssl/engines/tpm2tss.so actually exists ?

Thanks,
Andreas
________________________________________
From: Joshua Lock [joshua.g.lock(a)linux.intel.com]
Sent: Tuesday, August 28, 2018 16:45
To: Fuchs, Andreas; tpm2(a)lists.01.org
Subject: Re: [tpm2] TPM2TSS engine for OpenSSL

Hi Andreas,

On Wed, 2018-06-13 at 10:16 +0000, Fuchs, Andreas wrote:
> Hi all,
>
> I just wanted to announce that we pushed a new crypto engine for
> OpenSSL using the tpm2-tss software stack.
> It is licensed under the BSD 3-clause license.
> It currently includes RSA sign, RSA decrypt and ECDSA with TPM
> generated keys.
> It uses ESAPI/ESYS (so it's a good usage example) and thus relies on
> the 2.0 series of tpm2-tss.
> I'd like to see some testing and bug reports if you don't mind.

What version of openssl was this developed for/tested against?

On Fedora 28:
$ openssl version
OpenSSL 1.1.0h-fips  27 Mar 2018
$ OPENSSL_ENGINES=/usr/local/lib/openssl/engines/ openssl engine -t -c
tpm2tss
140349824665408:error:25066067:DSO support routines:dlfcn_load:could
not load the shared
library:crypto/dso/dso_dlfcn.c:113:filename(/usr/local/lib/openssl/engi
nes/tpm2tss.so): /usr/local/lib/openssl/engines/tpm2tss.so: cannot open
shared object file: No such file or directory
140349824665408:error:25070067:DSO support routines:DSO_load:could not
load the shared library:crypto/dso/dso_lib.c:161:
140349824665408:error:260B6084:engine routines:dynamic_load:dso not
found:crypto/engine/eng_dyn.c:414:
140349824665408:error:2606A074:engine routines:ENGINE_by_id:no such
engine:crypto/engine/eng_list.c:341:id=tpm2tss

I see similar on Ubuntu 18.04.1 LTS:
$ openssl version
OpenSSL 1.1.0g 2 Nov 2017

but on Ubuntu 16.04.5 LTS the engine loads as expected:
$ openssl version
OpenSSL 1.0.2g 1 Mar 2016
$ OPENSSL_ENGINES=/usr/local/lib/openssl/engines openssl engine -t
-c tpm2tss
(tpm2tss) TPM2-TSS engine for OpenSSL
 [RSA, RAND]
     [ available ]

Along with fixing the engine to work with newer OpenSSL (it looks like
1.1.1 is in Beta) I think we might want/need to get a lot stricter with
the version specifier in the PKG_CHECK_MODULES call.

Thanks,
Joshua

Re: [tpm2] TPM2TSS engine for OpenSSL

[Philip Tricca]

[-- Attachment #1: Type: text/plain, Size: 2306 bytes --]

On Tue, Aug 28, 2018 at 03:45:31PM +0100, Joshua Lock wrote:
> Hi Andreas,
> 
> On Wed, 2018-06-13 at 10:16 +0000, Fuchs, Andreas wrote:
> > Hi all,
> > 
> > I just wanted to announce that we pushed a new crypto engine for
> > OpenSSL using the tpm2-tss software stack.
> > It is licensed under the BSD 3-clause license.
> > It currently includes RSA sign, RSA decrypt and ECDSA with TPM
> > generated keys.
> > It uses ESAPI/ESYS (so it's a good usage example) and thus relies on
> > the 2.0 series of tpm2-tss.
> > I'd like to see some testing and bug reports if you don't mind.
> 
> What version of openssl was this developed for/tested against?
> 
> On Fedora 28:
> $ openssl version
> OpenSSL 1.1.0h-fips  27 Mar 2018
> $ OPENSSL_ENGINES=/usr/local/lib/openssl/engines/ openssl engine -t -c
> tpm2tss
> 140349824665408:error:25066067:DSO support routines:dlfcn_load:could
> not load the shared
> library:crypto/dso/dso_dlfcn.c:113:filename(/usr/local/lib/openssl/engi
> nes/tpm2tss.so): /usr/local/lib/openssl/engines/tpm2tss.so: cannot open
> shared object file: No such file or directory
> 140349824665408:error:25070067:DSO support routines:DSO_load:could not
> load the shared library:crypto/dso/dso_lib.c:161:
> 140349824665408:error:260B6084:engine routines:dynamic_load:dso not
> found:crypto/engine/eng_dyn.c:414:
> 140349824665408:error:2606A074:engine routines:ENGINE_by_id:no such
> engine:crypto/engine/eng_list.c:341:id=tpm2tss
> 
> I see similar on Ubuntu 18.04.1 LTS:
> $ openssl version
> OpenSSL 1.1.0g 2 Nov 2017
> 
> but on Ubuntu 16.04.5 LTS the engine loads as expected:
> $ openssl version
> OpenSSL 1.0.2g 1 Mar 2016
> $ OPENSSL_ENGINES=/usr/local/lib/openssl/engines openssl engine -t
> -c tpm2tss
> (tpm2tss) TPM2-TSS engine for OpenSSL
>  [RSA, RAND]
>      [ available ]
> 
> Along with fixing the engine to work with newer OpenSSL (it looks like
> 1.1.1 is in Beta) I think we might want/need to get a lot stricter with
> the version specifier in the PKG_CHECK_MODULES call.

I got the engine working find with v1.1.0g. I did run into a few issue
though and they were all of my own doing. See if any info in this thread
helps:
https://github.com/tpm2-software/tpm2-tss-engine/issues/5#issuecomment-415223481

Philip

Re: [tpm2] TPM2TSS engine for OpenSSL

[Joshua Lock]

[-- Attachment #1: Type: text/plain, Size: 1101 bytes --]

On Tue, 2018-08-28 at 14:58 +0000, Fuchs, Andreas wrote:
> Hi Joshua,
> 
> the engine is tested against openssl 1.0.2 and 1.1.0 using travis ci,
> see 
> https://github.com/tpm2-software/tpm2-tss-engine/blob/master/.travis.yml
> 
> The fedora-info looks strange, since is says "No such file or
> directory".
> Could you check that  /usr/local/lib/openssl/engines/tpm2tss.so
> actually exists ?

It doesn't, I do have libtpm2tss.so (same on my Ubuntu 16.04.5 VM
though).
However, if I link the libtpm2tss.so -> tpm2tss.so the engine is picked
up:
$ sudo ln -s /usr/local/lib/openssl/engines/libtpm2tss.so
/usr/local/lib/openssl/engines/tpm2tss.so
$ OPENSSL_ENGINES=/usr/local/lib/openssl/engines openssl engine -t -c
tpm2tss
(tpm2tss) TPM2-TSS engine for OpenSSL
 [RSA, RAND]
     [ available ]

or indeed if I use libtpm2tss as the engine name:

$ OPENSSL_ENGINES=/usr/local/lib/openssl/engines openssl engine -t -c
libtpm2tss
(libtpm2tss) TPM2-TSS engine for OpenSSL
Loaded: (tpm2tss) TPM2-TSS engine for OpenSSL
 [RSA, RAND]
     [ available ]

Thanks,

Joshua

Re: [tpm2] TPM2TSS engine for OpenSSL

[Philip Tricca]

[-- Attachment #1: Type: text/plain, Size: 1616 bytes --]

Hi Joshua,

On 08/28/2018 08:30 AM, Joshua Lock wrote:
> On Tue, 2018-08-28 at 14:58 +0000, Fuchs, Andreas wrote:
>> Hi Joshua,
>>
>> the engine is tested against openssl 1.0.2 and 1.1.0 using travis ci,
>> see 
>> https://github.com/tpm2-software/tpm2-tss-engine/blob/master/.travis.yml
>>
>> The fedora-info looks strange, since is says "No such file or
>> directory".
>> Could you check that  /usr/local/lib/openssl/engines/tpm2tss.so
>> actually exists ?
> 
> It doesn't, I do have libtpm2tss.so (same on my Ubuntu 16.04.5 VM
> though).
> However, if I link the libtpm2tss.so -> tpm2tss.so the engine is picked
> up:
> $ sudo ln -s /usr/local/lib/openssl/engines/libtpm2tss.so
> /usr/local/lib/openssl/engines/tpm2tss.so
> $ OPENSSL_ENGINES=/usr/local/lib/openssl/engines openssl engine -t -c 
> tpm2tss
> (tpm2tss) TPM2-TSS engine for OpenSSL
>  [RSA, RAND]
>      [ available ]
> 
> or indeed if I use libtpm2tss as the engine name:
> 
> $ OPENSSL_ENGINES=/usr/local/lib/openssl/engines openssl engine -t -c
> libtpm2tss
> (libtpm2tss) TPM2-TSS engine for OpenSSL
> Loaded: (tpm2tss) TPM2-TSS engine for OpenSSL
>  [RSA, RAND]
>      [ available ]

I had to reverse engineer this behavior as part of doing my LSS talk. I
found `strace` was the most useful tool in debugging it. Try adding
'/usr/local/lib/openssl/engines' to your library load path
(LD_LIBRARY_PATH).

That said I have no idea if this is the right way to achieve this goal
but I can say it will allow you to omit the 'lib' prefix from the engine
name w/o having to rename the installed so.

Philip

Re: [tpm2] TPM2TSS engine for OpenSSL

[Fuchs, Andreas]

[-- Attachment #1: Type: text/plain, Size: 2187 bytes --]

Now that's interesting....

The default OpenSSL-Engines for 1.0.0 are all prefixed with a lib*
I have to admit that I never used the OPENSSL_ENGINES env but rather the LD_LIBRARY_PATH.

I wonder what the correct behavior is ?
Is this a weirdness of openSSL ?

Does anyone around here know OpenSSL enough to give an answer or advice ?

________________________________________
From: Philip Tricca [flihp(a)twobit.org]
Sent: Thursday, August 30, 2018 03:19
To: Joshua Lock
Cc: Fuchs, Andreas; tpm2(a)lists.01.org
Subject: Re: [tpm2] TPM2TSS engine for OpenSSL

Hi Joshua,

On 08/28/2018 08:30 AM, Joshua Lock wrote:
> On Tue, 2018-08-28 at 14:58 +0000, Fuchs, Andreas wrote:
>> Hi Joshua,
>>
>> the engine is tested against openssl 1.0.2 and 1.1.0 using travis ci,
>> see
>> https://github.com/tpm2-software/tpm2-tss-engine/blob/master/.travis.yml
>>
>> The fedora-info looks strange, since is says "No such file or
>> directory".
>> Could you check that  /usr/local/lib/openssl/engines/tpm2tss.so
>> actually exists ?
>
> It doesn't, I do have libtpm2tss.so (same on my Ubuntu 16.04.5 VM
> though).
> However, if I link the libtpm2tss.so -> tpm2tss.so the engine is picked
> up:
> $ sudo ln -s /usr/local/lib/openssl/engines/libtpm2tss.so
> /usr/local/lib/openssl/engines/tpm2tss.so
> $ OPENSSL_ENGINES=/usr/local/lib/openssl/engines openssl engine -t -c
> tpm2tss
> (tpm2tss) TPM2-TSS engine for OpenSSL
>  [RSA, RAND]
>      [ available ]
>
> or indeed if I use libtpm2tss as the engine name:
>
> $ OPENSSL_ENGINES=/usr/local/lib/openssl/engines openssl engine -t -c
> libtpm2tss
> (libtpm2tss) TPM2-TSS engine for OpenSSL
> Loaded: (tpm2tss) TPM2-TSS engine for OpenSSL
>  [RSA, RAND]
>      [ available ]

I had to reverse engineer this behavior as part of doing my LSS talk. I
found `strace` was the most useful tool in debugging it. Try adding
'/usr/local/lib/openssl/engines' to your library load path
(LD_LIBRARY_PATH).

That said I have no idea if this is the right way to achieve this goal
but I can say it will allow you to omit the 'lib' prefix from the engine
name w/o having to rename the installed so.

Philip