please disregard my last email, think i need to read up the OSAP and
concepts of authhandles first..
- adrian.
On Mon, Nov 30, 2009 at 3:08 PM, adrian golding <[email protected]>wrote:
> hi, i looked at the source ~/trousers/src/tspi/tspi_seal.c to understand
> how it works.
>
> in tspi_seal.c, within the Tspi_Data_Seal function, authsess_xsap_init() is
> called to initialise 'xsap', and then a hash is computed as per the
> specifications. And then this digest is passed to an authsess_xsap_hmac().
> after that a Seal() takes place.
>
> this is the authsess_xsap_hmac():
>
> //---------------------------------------------------------------------------------------------------------------------
>
> //---------------------------------------------------------------------------------------------------------------------
> TSS_RESULT
> authsess_xsap_hmac(struct authsess *sess, TPM_DIGEST *digest)
> {
> TSS_RESULT result;
>
> /* If no auth session was established using this authsess object,
> return success */
> if (!sess->pAuth)
> return TSS_SUCCESS;
>
> /* XXX Placeholder for future continueAuthSession support:
> * conditionally bump NonceOdd if continueAuthSession == TRUE here
> */
>
> if ((result =
> ((TSS_RESULT (*)(PVOID, TSS_HOBJECT, TSS_BOOL,
> UINT32, TSS_BOOL, UINT32, BYTE *, BYTE *,
> BYTE *, BYTE *, UINT32, BYTE *,
> BYTE *))sess->cb_hmac.callback)(sess->cb_hmac.appData,
> sess->hUsageParent, TRUE, sess->command,
> sess->auth.fContinueAuthSession,
> sizeof(TPM_NONCE),
> sess->auth.NonceEven.nonce,
> sess->auth.NonceOdd.nonce,
> sess->nonceEvenxSAP.nonce,
> sess->nonceOddxSAP.nonce, sizeof(TPM_DIGEST),
> digest->digest, sess->auth.HMAC.authdata)))
> return result;
>
> obj_policy_dec_counter(sess->hUsageParent);
> obj_policy_dec_counter(sess->hUsageChild);
> obj_policy_dec_counter(sess->hMigChild);
>
> return TSS_SUCCESS;
> }
>
>
> //---------------------------------------------------------------------------------------------------------------------
>
> //---------------------------------------------------------------------------------------------------------------------
>
> i guess this function will send the hmac to the TPM before it sends the
> seal command since i saw the seal() coming after all these at the end, am i
> right?
> According to the specifications, there are 2 more nonces and 1 boolean to
> be concatenated to the digest that was passed in. As the nonces were not
> passed in as arguments, how did the code retrieve it?
>
> thank you - adrian
>
>
>
> On Tue, Nov 24, 2009 at 6:01 PM, Anthony Dessiatnikoff <
> [email protected]> wrote:
>
>> Hi,
>>
>> HMAC messages are build in 2 stages:
>>
>> first: you have to compute a SHA-1 of data
>> second: you concatenate the previous hash to other data
>>
>> So, 1S, 2S are concatenated and then hashed (SHA-1) and then you have to
>> concatenate the result to 2H1, 3H1, ...
>>
>> to resume:
>>
>> HMAC msg = SHA-1(1S || 2S || 3S) || 2H1 || 3H1 || 4H1
>>
>> where || is the concatenation.
>>
>> This HMAC is used by the TPM to verify the integrity of the command. You
>> also have to provide a SHA-1 of your password to be able to use the key
>> which represents the HMAC key.
>>
>> You have to send it to the TPM else the integrity will not be verified and
>> the TPM will not authorize you to use this command.
>>
>> If you have questions,
>>
>>
>>
>> 2009/11/24 adrian golding <[email protected]>
>>
>>> hi, my question is related to this hash i see in tspi_seal.c and in the
>>> TPM specifications:
>>>
>>> I was looking at the TPM main Part 3 TPM Commands document obtained from
>>> here:
>>>
>>> http://www.trustedcomputinggroup.org/files/resource_files/646B5D4D-1D09-3519-AD21C36DEA87B4B8/tpmwg-mainrev62_Part3_Commands.pdf
>>>
>>> page 56-57 or so. the first column (reads PARAM) states what parameters
>>> are expected to be sent to the TPM, and the second column (reads HMAC) and i
>>> guess some of the parameters need to be hashed according to the
>>> specifications. Qn#1: sometimes it states what does the "2H1", "1S", "2S"
>>> etc in the HMAC column mean?
>>>
>>> and then i looked at the code in ~/trousers/src/tspi/tspi_seal.c to see
>>> what is being done inside:
>>> i noticed that there was hashing done according to the specs. Qn#2: how
>>> is this hash used later on? Is this hash going to be sent to the TPM in any
>>> way?
>>>
>>> thank you - adrian
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>> 30-Day
>>> trial. Simplify your report design, integration and deployment - and
>>> focus on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> TrouSerS-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/trousers-users
>>>
>>>
>>
>>
>> --
>> Anthony Dessiatnikoff
>> Researcher in computing security
>>
>
>
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
