From e643676840242368a3e6c2e4ebf98091098d3aa3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20Th=C3=B6ni?= Date: Wed, 29 Nov 2023 16:25:51 +0100 Subject: [PATCH] esys: Use default OpenSSL context for session HMAC operations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The TPM2 provider may be loaded in the global library context. As we don't want the TPM to be called for some operations, we have to initialize own library context with the default provider. Signed-off-by: Stefan Thöni --- src/tss2-esys/esys_crypto_ossl.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c index 92b48b11c..1620788c6 100644 --- a/src/tss2-esys/esys_crypto_ossl.c +++ b/src/tss2-esys/esys_crypto_ossl.c @@ -394,9 +394,14 @@ iesys_cryptossl_hmac_start(ESYS_CRYPTO_CONTEXT_BLOB ** context, #if OPENSSL_VERSION_NUMBER < 0x10101000L if (!(hkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, size))) { -#else +#elif OPENSSL_VERSION_NUMBER < 0x30000000L /* this is preferred, but available since OpenSSL 1.1.1 only */ if (!(hkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, key, size))) { +#else + /* this is nessecary from OpenSSL 3.0.0 to avoid using the TPM2 provider using + * OpenSSL in a circular dependency */ + if (!(hkey = EVP_PKEY_new_raw_private_key_ex(mycontext->hash.ossl_libctx, + "HMAC", NULL, key, size))) { #endif goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Failed to create HMAC key", cleanup);