[prev in list] [next in list] [prev in thread] [next in thread]
List: trousers-users
Subject: Re: [TrouSerS-users] TSP Transport Session
From: michaeldorner <dorner () in ! tum ! de>
Date: 2013-01-24 21:43:46
Message-ID: 1359063826.17295.6.camel () ThinkPad-T61
[Download RAW message or body]
I have checked, which function returns the invalid handle, and it is the
secret_PerformAuth_OIAP()-call in obj_context_transport_close, which
seems to return the error. Within this function it is the function call
to OIAP:
if ((result = OIAP(tspContext, &auth->AuthHandle, &auth->NonceEven))),
somewhere around line 70 in tsp_auth.c,
which returns an error on my platform. I do not have the time to take a
look at how OIAP works in detail and check, what is wrong there, but
maybe it helps someone else, who wants to fix this some other time. The
call to secret_PerformAuth_OIAP() works fine when opening the session,
but that may be due to the hack, which is used in the function.
Michael
On Fri, 2013-01-18 at 09:34 -0600, Kent Yoder wrote:
> On Fri, Jan 18, 2013 at 8:03 AM, Michael Dorner
> <michael.georg.dorner@in.tum.de> wrote:
> > Hey Kent,
> >
> > your first two patches fixed the hang on CloseSignTransport, and now I get
> > an error-code back at least:
> >
> > 0x00003126: Invalid handle.
> >
> > Is there anything special one has to pay attention to when executing
> > commands in the transport?
>
> Ideally there shouldn't be, except for the rules around exclusive
> sessions. Invalid handle could only be a few things here, the
> context, the key or the usage policy for the key.
>
> > Applying your last patch however makes me unable to even connect to a
> > context and returns:
> >
> > 0x00002004: Internal Software Error
>
> This might be that you're linking against a trousers < 0.3.10 tspi
> library and trying to connect to a 0.3.10 daemon.
>
> Kent
>
> > I haven't had time to check, if it is a simple error or what causes it, so I
> > can't say much more right now, other than, that it creates an error.
> >
> > Thank you for your help,
> >
> > Michael
> >
> >
> >
> > On 17/01/2013 23:27, Kent Yoder wrote:
> >>
> >> On Thu, Jan 17, 2013 at 12:59 PM, Kent Yoder <shpedoikal@gmail.com> wrote:
> >>>>
> >>>> I'm interested to know what you see in your testcase after applying
> >>>> these patches. I get a 0x22 (invalid auth handle) return code from
> >>>> Tspi_Context_CloseSignTransport, which I can't yet explain. I'm on an
> >>>> STM TPM here.
> >>>
> >>> Ok, I see what's happening now. The code sets up an exclusive
> >>> transport session, which means that while its open, any TPM command
> >>> that executes outside the TS will force a close of the TS. This
> >>> includes commands sent down by the tcsd during normal operations, for
> >>> things like asking the TPM which keys it has loaded. This is what
> >>> happens in this case, the tcsd asks the TPM which keys it has loaded
> >>> during key management, terminating the session before close. Because
> >>> there's a signing key involved in closing and signing the session
> >>> hash, this might *always* happen. :-(
> >>
> >> Got a fix for you. :-) Please test the attached patch. Also make
> >> sure you've set
> >>
> >> enforce_exclusive_transport = 1
> >>
> >> in /etc/tcsd.conf, so that it doesn't ignore the fact that you want an
> >> exclusive session.
> >>
> >> Thanks,
> >> Kent
> >>
> >>> I've opened a defect against the tcsd [1] to look into better support
> >>> for ETS.
> >>>
> >>> Kent
> >>>
> >>> [1]
> >>> https://sourceforge.net/tracker/?func=detail&aid=3601290&group_id=126012&atid=704358
> >>>
> >>>
> >>>> Kent
> >>>>
> >>>>> fairly sure, that the key I am using (which is an AIK) has been loaded
> >>>>> correctly, and that I correctly initialized the validation structure as
> >>>>> well as the context, because I can quote within the same context using
> >>>>> the same code for initializing them.
> >>>>>
> >>>>> I am using:
> >>>>>
> >>>>> Ubuntu 11.04 (have to for compatibility reasons with other software)
> >>>>> trousers0.3.5-2_i386.deb (haven't seen anything on the update logs,
> >>>>> that
> >>>>> would possibly fix this in future versions)
> >>>>> Atmel TPM v1.2 (capabilities include one transport session)
> >>>>> gcc 4.5.2
> >>>>>
> >>>>> I will attach a piece of code to the bottom, which produces the error
> >>>>> with my system setup. I cleaned it from any unrelated code and at the
> >>>>> moment it is not executing anything within the transport. However the
> >>>>> same problem occurs, when executing TPM-commands during the transport.
> >>>>>
> >>>>> Calling
> >>>>>
> >>>>> gcc -ltspi -Wall -o ttest cleanTransportCall.c
> >>>>>
> >>>>> on my source file should give no warning, or at least I do not get any.
> >>>>>
> >>>>> Best regards,
> >>>>>
> >>>>> Michael Dorner
> >>>>>
> >>>>>
> >>>>>
> >>>>> ########### Code for
> >>>>> cleanTransportCall.c:##############################
> >>>>>
> >>>>> /*
> >>>>> * cleanTransportCall.c
> >>>>> *
> >>>>> * Created on: Jan 7, 2013
> >>>>> * Author: michaeldorner
> >>>>> * Purpose: Bugreport CloseSignTransport
> >>>>> *
> >>>>> */
> >>>>> #include <stdio.h>
> >>>>> #include <string.h>
> >>>>> #include <stdlib.h>
> >>>>> #include <sys/types.h>
> >>>>> #include <tss/platform.h>
> >>>>> #include <tss/tspi.h>
> >>>>> #include <trousers/trousers.h>
> >>>>> //challener debug macro (from tutorial)
> >>>>> #define DBG(message,tResult)printf("(Line%d, %s)%s returned 0x%08x. %s
> >>>>> \n", __LINE__,__func__,message, tResult,
> >>>>> (char*)Trspi_Error_String(tResult))
> >>>>>
> >>>>> //declarations, supporting only plaintext secrets here
> >>>>> TSS_RESULT context_init(TSS_HCONTEXT *phContext);
> >>>>> TSS_RESULT srk_tpm_init(TSS_HCONTEXT *phContext, TSS_HKEY *phSRK,
> >>>>> char* srk_auth, TSS_HTPM *phTPM, char* owner_auth);
> >>>>> TSS_RESULT load_aik(TSS_HCONTEXT *hContext, TSS_HKEY *srk, TSS_HKEY
> >>>>> *hAIK,
> >>>>> TSS_UUID aik_uuid, char* aik_auth);
> >>>>> int main(int argc, char **agrv) {
> >>>>> printf("entered main\n");
> >>>>> TSS_HCONTEXT hContext;
> >>>>> TSS_HTPM hTPM;
> >>>>> TSS_HKEY hSRK, hAIKey;
> >>>>> TSS_VALIDATION vData;
> >>>>> TSS_RESULT result;
> >>>>> BYTE nonce[20];
> >>>>> int size = 20;
> >>>>> //modify this code to select own aik
> >>>>> TSS_UUID aik_uuid = { 0, 0, 0, 0, 0, { 0, 0, 0, 0, 0, 12 } };
> >>>>> if ((result = context_init(&hContext)) != TSS_SUCCESS) {
> >>>>> exit(result);
> >>>>> }
> >>>>> if ((result = srk_tpm_init(&hContext, &hSRK, "password",
> >>>>> &hTPM,
> >>>>> "password"))
> >>>>> != TSS_SUCCESS) {
> >>>>> exit(result);
> >>>>> }
> >>>>> vData.ulExternalDataLength = size;
> >>>>> vData.rgbExternalData = nonce;
> >>>>> if ((result = load_aik(&hContext, &hSRK, &hAIKey, aik_uuid,
> >>>>> NULL ))
> >>>>> != TSS_SUCCESS) {
> >>>>> exit(result);
> >>>>> }
> >>>>> //set the nonce as external data
> >>>>> printf("starting transport session\n");
> >>>>> if ((result = Tspi_SetAttribUint32(hContext,
> >>>>> TSS_TSPATTRIB_CONTEXT_TRANSPORT,
> >>>>> TSS_TSPATTRIB_CONTEXTTRANS_CONTROL,
> >>>>> TSS_TSPATTRIB_ENABLE_TRANSPORT)) !=
> >>>>> TSS_SUCCESS) {
> >>>>> exit(result);
> >>>>> }
> >>>>> if ((result = Tspi_SetAttribUint32(hContext,
> >>>>> TSS_TSPATTRIB_CONTEXT_TRANSPORT,
> >>>>> TSS_TSPATTRIB_CONTEXTTRANS_MODE,
> >>>>>
> >>>>> TSS_TSPATTRIB_TRANSPORT_NO_DEFAULT_ENCRYPTION)) != TSS_SUCCESS) {
> >>>>> exit(result);
> >>>>> }
> >>>>> if ((result = Tspi_SetAttribUint32(hContext,
> >>>>> TSS_TSPATTRIB_CONTEXT_TRANSPORT,
> >>>>> TSS_TSPATTRIB_CONTEXTTRANS_MODE,
> >>>>> TSS_TSPATTRIB_TRANSPORT_EXCLUSIVE)) !=
> >>>>> TSS_SUCCESS) {
> >>>>> exit(result);
> >>>>> }
> >>>>> if ((result = Tspi_SetAttribUint32(hContext,
> >>>>> TSS_TSPATTRIB_CONTEXT_TRANSPORT,
> >>>>> TSS_TSPATTRIB_CONTEXTTRANS_MODE,
> >>>>>
> >>>>> TSS_TSPATTRIB_TRANSPORT_AUTHENTIC_CHANNEL)) != TSS_SUCCESS) {
> >>>>> exit(result);
> >>>>> }
> >>>>> //encapsulated commands start
> >>>>>
> >>>>>
> >>>>>
> >>>>> //encapsulated commands end
> >>>>> printf("calling closeSignTransport\n");
> >>>>> if ((result = Tspi_Context_CloseSignTransport(hContext,
> >>>>> hAIKey,
> >>>>> &vData))
> >>>>> != TSS_SUCCESS) {
> >>>>> DBG("closing transport", result);
> >>>>> exit(result);
> >>>>> }
> >>>>> Tspi_Context_FreeMemory(hContext, NULL);
> >>>>> Tspi_Context_Close(hContext);
> >>>>> DBG("leaving main", result);
> >>>>> exit(result);
> >>>>> }
> >>>>>
> >>>>> //helpers
> >>>>> /*
> >>>>> * this function takes an uninitalized tpmobject, srk and context and
> >>>>> initializes/loads it
> >>>>> */
> >>>>> TSS_RESULT context_init(TSS_HCONTEXT *phContext) {
> >>>>> printf("entered context_init\n");
> >>>>> TSS_RESULT result;
> >>>>> //create context and connect to it
> >>>>> if ((result = Tspi_Context_Create(phContext)) != TSS_SUCCESS)
> >>>>> {
> >>>>> return (result);
> >>>>> }
> >>>>> if ((result = Tspi_Context_Connect(*phContext, NULL )) !=
> >>>>> TSS_SUCCESS)
> >>>>> {
> >>>>> return (result);
> >>>>> }
> >>>>> DBG("leaving context_init", result);
> >>>>> return result;
> >>>>> }
> >>>>>
> >>>>> TSS_RESULT srk_tpm_init(TSS_HCONTEXT *phContext, TSS_HKEY *phSRK,
> >>>>> char* srk_auth, TSS_HTPM *phTPM, char* owner_auth) {
> >>>>> TSS_RESULT result;
> >>>>> TSS_HPOLICY hSRKPolicy, hTPMPolicy;
> >>>>> TSS_UUID UUID_SRK = TSS_UUID_SRK;
> >>>>> if ((result = Tspi_Context_LoadKeyByUUID(*phContext,
> >>>>> TSS_PS_TYPE_SYSTEM,
> >>>>> UUID_SRK, phSRK)) != TSS_SUCCESS) {
> >>>>> return (result);
> >>>>> }
> >>>>> //create policy object for the SRK and assign it
> >>>>> if ((result = Tspi_Context_CreateObject(*phContext,
> >>>>> TSS_OBJECT_TYPE_POLICY,
> >>>>> TSS_POLICY_USAGE, &hSRKPolicy)) !=
> >>>>> TSS_SUCCESS) {
> >>>>> return (result);
> >>>>> }
> >>>>> if ((result = Tspi_Policy_SetSecret(hSRKPolicy,
> >>>>> TSS_SECRET_MODE_PLAIN,
> >>>>> strlen(srk_auth), (BYTE *) srk_auth)) !=
> >>>>> TSS_SUCCESS) {
> >>>>> return (result);
> >>>>> }
> >>>>> if ((result = Tspi_Policy_AssignToObject(hSRKPolicy, *phSRK))
> >>>>> !=
> >>>>> TSS_SUCCESS) {
> >>>>> return (result);
> >>>>> }
> >>>>>
> >>>>> if ((result = Tspi_Context_GetTpmObject(*phContext, phTPM)) !=
> >>>>> TSS_SUCCESS) {
> >>>>> return (result);
> >>>>> }
> >>>>> if ((result = Tspi_Context_CreateObject(*phContext,
> >>>>> TSS_OBJECT_TYPE_POLICY,
> >>>>> TSS_POLICY_USAGE, &hTPMPolicy)) !=
> >>>>> TSS_SUCCESS) {
> >>>>> return (result);
> >>>>> }
> >>>>> if ((result = Tspi_Policy_SetSecret(hTPMPolicy,
> >>>>> TSS_SECRET_MODE_PLAIN,
> >>>>> strlen(owner_auth), (BYTE *) owner_auth)) !=
> >>>>> TSS_SUCCESS) {
> >>>>> return (result);
> >>>>> }
> >>>>> if ((result = Tspi_Policy_AssignToObject(hTPMPolicy, *phTPM))
> >>>>> !=
> >>>>> TSS_SUCCESS) {
> >>>>> return (result);
> >>>>> }
> >>>>> return result;
> >>>>> }
> >>>>>
> >>>>> /*
> >>>>> * load an attestation key by its UUID, the context has to be
> >>>>> connected
> >>>>> and the srk has to be loaded
> >>>>> */
> >>>>> TSS_RESULT load_aik(TSS_HCONTEXT *hContext, TSS_HKEY *srk, TSS_HKEY
> >>>>> *hAIK,
> >>>>> TSS_UUID aik_uuid, char *aik_auth) {
> >>>>> printf("entered load_aik_by_uuid\n");
> >>>>> TSS_RESULT result;
> >>>>> TSS_HPOLICY hAIKPolicy;
> >>>>> if ((result = Tspi_Context_LoadKeyByUUID(*hContext,
> >>>>> TSS_PS_TYPE_SYSTEM,
> >>>>> aik_uuid, hAIK)) != TSS_SUCCESS) {
> >>>>> return (result);
> >>>>> }
> >>>>> if ((result = Tspi_GetPolicyObject(*hAIK, TSS_POLICY_USAGE,
> >>>>> &hAIKPolicy))
> >>>>> != TSS_SUCCESS) {
> >>>>> return (result);
> >>>>> }
> >>>>> //if using an AIK generated from the privacyCA.com code, it
> >>>>> has NULL as
> >>>>> plain secret
> >>>>> if (aik_auth != NULL ) {
> >>>>> if ((result = Tspi_Policy_SetSecret(hAIKPolicy,
> >>>>> TSS_SECRET_MODE_PLAIN,
> >>>>> strlen(aik_auth), (BYTE*) aik_auth))
> >>>>> != TSS_SUCCESS) {
> >>>>> return (result);
> >>>>> }
> >>>>> } else {
> >>>>> if ((result = Tspi_Policy_SetSecret(hAIKPolicy,
> >>>>> TSS_SECRET_MODE_PLAIN,
> >>>>> 0, NULL )) != TSS_SUCCESS) {
> >>>>> return (result);
> >>>>> }
> >>>>> }
> >>>>> DBG("leaving load_aik_by_uuid", result);
> >>>>> return (result);
> >>>>> }
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> ------------------------------------------------------------------------------
> >>>>> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
> >>>>> much more. Get web development skills now with LearnDevNow -
> >>>>> 350+ hours of step-by-step video tutorials by Microsoft MVPs and
> >>>>> experts.
> >>>>> SALE $99.99 this month only -- learn more at:
> >>>>> http://p.sf.net/sfu/learnmore_122812
> >>>>> _______________________________________________
> >>>>> TrouSerS-users mailing list
> >>>>> TrouSerS-users@lists.sourceforge.net
> >>>>> https://lists.sourceforge.net/lists/listinfo/trousers-users
> >
> >
>
> ------------------------------------------------------------------------------
> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
> much more. Get web development skills now with LearnDevNow -
> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
> SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122812
> _______________________________________________
> TrouSerS-users mailing list
> TrouSerS-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/trousers-users
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
TrouSerS-users mailing list
TrouSerS-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/trousers-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic