From 166a5538edb4eafaf64c7a45a63ab1a20ac30361 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20Th=C3=B6ni?= Date: Wed, 29 Nov 2023 16:25:51 +0100 Subject: [PATCH] esys: Use default OpenSSL context for session HMAC operations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The TPM2 provider may be loaded in the global library context. As we don't want the TPM to be called for some operations, we have to initialize own library context with the default provider. Signed-off-by: Stefan Thöni --- src/tss2-esys/esys_crypto_ossl.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c index 92b48b11c..1620788c6 100644 --- a/src/tss2-esys/esys_crypto_ossl.c +++ b/src/tss2-esys/esys_crypto_ossl.c @@ -394,9 +394,14 @@ iesys_cryptossl_hmac_start(ESYS_CRYPTO_CONTEXT_BLOB ** context, #if OPENSSL_VERSION_NUMBER < 0x10101000L if (!(hkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, size))) { -#else +#elif OPENSSL_VERSION_NUMBER < 0x30000000L /* this is preferred, but available since OpenSSL 1.1.1 only */ if (!(hkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, key, size))) { +#else + /* this is nessecary from OpenSSL 3.0.0 to avoid using the TPM2 provider using + * OpenSSL in a circular dependency */ + if (!(hkey = EVP_PKEY_new_raw_private_key_ex(mycontext->hash.ossl_libctx, + "HMAC", NULL, key, size))) { #endif goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Failed to create HMAC key", cleanup);