SSL connection failure: PKCS #11 error
David Woodhouse
dwmw2 at infradead.org
Thu Mar 7 14:53:50 PST 2024
On 7 March 2024 19:03:33 GMT, traxtopel at gmail.com wrote:
>David,
>tried to patch it no luck
>i.e.
>diff -ur openconnect-9.12.orig/gnutls_tpm2_esys.c openconnect-
>9.12/gnutls_tpm2_esys.c
>--- openconnect-9.12.orig/gnutls_tpm2_esys.c 2022-04-28
>17:58:05.000000000 +0200
>+++ openconnect-9.12/gnutls_tpm2_esys.c 2024-03-07 16:03:54.521631835
>+0100
>@@ -498,12 +498,11 @@
> case SHA1_SIZE: inScheme.details.ecdsa.hashAlg =
>TPM2_ALG_SHA1; break;
> case SHA256_SIZE: inScheme.details.ecdsa.hashAlg =
>TPM2_ALG_SHA256; break;
> case SHA384_SIZE: inScheme.details.ecdsa.hashAlg =
>TPM2_ALG_SHA384; break;
>- case SHA512_SIZE: inScheme.details.ecdsa.hashAlg =
>TPM2_ALG_SHA512; break;
>+ case SHA512_SIZE: inScheme.details.ecdsa.hashAlg =
>TPM2_ALG_SHA512; digest.size = 32 ; break;
> default:
>- vpn_progress(vpninfo, PRG_ERR,
>- _("Unknown TPM2 EC digest size %d for
>algo 0x%x\n"),
>- data->size, algo);
>- return GNUTLS_E_PK_SIGN_FAILED;
>+ inScheme.details.ecdsa.hashAlg = TPM2_ALG_SHA512;
That wants to be SHA256 too.
>+ digest.size = 32;
>+ break;
> }
>
> memcpy(digest.buffer, data->data, data->size);
>
>I am on Fedora 39 using gnutls-3.8.3-1.fc39.x86_64
Ah, by v3.8 GnuTLS actually includes my TPMv2 code natively. Can you test with gnutls-cli connecting to the same server with the same key?
More information about the openconnect-devel
mailing list