Hi Michael, On Fri, Jan 11, 2013 at 5:55 AM, michaeldorner <[email protected]> wrote: > Hey everyone, > > I am not quite sure, whether this should go on the tech- or the users- > list, but I am experiencing issues with the transport functionality of > the TSP, the signing of a transport to be precise. When calling > Tspi_Context_CloseSignTransport, the function does not terminate. I am
I had to modify your test code a bit to use a signing key I generate
on the fly instead of your AIK. After that, I was able to reproduce
your hang, which is a deadlock trying to authorize closing the
transport session.
I also ran into another bug in the tcsd when doing unencrypted
transport sessions.
Patches to fix both problems are attached, but I ran into an
interesting situation. If no TPM commands are executed inside the
transport session, trousers will feed uninitialized auth data for the
session to the TPM when Tspi_Context_CloseSignTransport is called,
leading to a TPM error. This is probably working as designed
actually. But - if the key you're using to sign the session hash
takes a password, the auth session for that key will execute inside
the transport session (during the processing of the
Tspi_Context_CloseSignTransport call), initializing the auth data and
making it succeed. ;-)
I'm interested to know what you see in your testcase after applying
these patches. I get a 0x22 (invalid auth handle) return code from
Tspi_Context_CloseSignTransport, which I can't yet explain. I'm on an
STM TPM here.
Kent
> fairly sure, that the key I am using (which is an AIK) has been loaded
> correctly, and that I correctly initialized the validation structure as
> well as the context, because I can quote within the same context using
> the same code for initializing them.
>
> I am using:
>
> Ubuntu 11.04 (have to for compatibility reasons with other software)
> trousers0.3.5-2_i386.deb (haven't seen anything on the update logs, that
> would possibly fix this in future versions)
> Atmel TPM v1.2 (capabilities include one transport session)
> gcc 4.5.2
>
> I will attach a piece of code to the bottom, which produces the error
> with my system setup. I cleaned it from any unrelated code and at the
> moment it is not executing anything within the transport. However the
> same problem occurs, when executing TPM-commands during the transport.
>
> Calling
>
> gcc -ltspi -Wall -o ttest cleanTransportCall.c
>
> on my source file should give no warning, or at least I do not get any.
>
> Best regards,
>
> Michael Dorner
>
>
>
> ########### Code for cleanTransportCall.c:##############################
>
> /*
> * cleanTransportCall.c
> *
> * Created on: Jan 7, 2013
> * Author: michaeldorner
> * Purpose: Bugreport CloseSignTransport
> *
> */
> #include <stdio.h>
> #include <string.h>
> #include <stdlib.h>
> #include <sys/types.h>
> #include <tss/platform.h>
> #include <tss/tspi.h>
> #include <trousers/trousers.h>
> //challener debug macro (from tutorial)
> #define DBG(message,tResult)printf("(Line%d, %s)%s returned 0x%08x. %s
> \n", __LINE__,__func__,message, tResult,
> (char*)Trspi_Error_String(tResult))
>
> //declarations, supporting only plaintext secrets here
> TSS_RESULT context_init(TSS_HCONTEXT *phContext);
> TSS_RESULT srk_tpm_init(TSS_HCONTEXT *phContext, TSS_HKEY *phSRK,
> char* srk_auth, TSS_HTPM *phTPM, char* owner_auth);
> TSS_RESULT load_aik(TSS_HCONTEXT *hContext, TSS_HKEY *srk, TSS_HKEY
> *hAIK,
> TSS_UUID aik_uuid, char* aik_auth);
> int main(int argc, char **agrv) {
> printf("entered main\n");
> TSS_HCONTEXT hContext;
> TSS_HTPM hTPM;
> TSS_HKEY hSRK, hAIKey;
> TSS_VALIDATION vData;
> TSS_RESULT result;
> BYTE nonce[20];
> int size = 20;
> //modify this code to select own aik
> TSS_UUID aik_uuid = { 0, 0, 0, 0, 0, { 0, 0, 0, 0, 0, 12 } };
> if ((result = context_init(&hContext)) != TSS_SUCCESS) {
> exit(result);
> }
> if ((result = srk_tpm_init(&hContext, &hSRK, "password", &hTPM,
> "password"))
> != TSS_SUCCESS) {
> exit(result);
> }
> vData.ulExternalDataLength = size;
> vData.rgbExternalData = nonce;
> if ((result = load_aik(&hContext, &hSRK, &hAIKey, aik_uuid, NULL ))
> != TSS_SUCCESS) {
> exit(result);
> }
> //set the nonce as external data
> printf("starting transport session\n");
> if ((result = Tspi_SetAttribUint32(hContext,
> TSS_TSPATTRIB_CONTEXT_TRANSPORT,
> TSS_TSPATTRIB_CONTEXTTRANS_CONTROL,
> TSS_TSPATTRIB_ENABLE_TRANSPORT)) != TSS_SUCCESS) {
> exit(result);
> }
> if ((result = Tspi_SetAttribUint32(hContext,
> TSS_TSPATTRIB_CONTEXT_TRANSPORT,
> TSS_TSPATTRIB_CONTEXTTRANS_MODE,
> TSS_TSPATTRIB_TRANSPORT_NO_DEFAULT_ENCRYPTION)) !=
> TSS_SUCCESS) {
> exit(result);
> }
> if ((result = Tspi_SetAttribUint32(hContext,
> TSS_TSPATTRIB_CONTEXT_TRANSPORT,
> TSS_TSPATTRIB_CONTEXTTRANS_MODE,
> TSS_TSPATTRIB_TRANSPORT_EXCLUSIVE)) != TSS_SUCCESS) {
> exit(result);
> }
> if ((result = Tspi_SetAttribUint32(hContext,
> TSS_TSPATTRIB_CONTEXT_TRANSPORT,
> TSS_TSPATTRIB_CONTEXTTRANS_MODE,
> TSS_TSPATTRIB_TRANSPORT_AUTHENTIC_CHANNEL))
> != TSS_SUCCESS) {
> exit(result);
> }
> //encapsulated commands start
>
>
>
> //encapsulated commands end
> printf("calling closeSignTransport\n");
> if ((result = Tspi_Context_CloseSignTransport(hContext, hAIKey,
> &vData))
> != TSS_SUCCESS) {
> DBG("closing transport", result);
> exit(result);
> }
> Tspi_Context_FreeMemory(hContext, NULL);
> Tspi_Context_Close(hContext);
> DBG("leaving main", result);
> exit(result);
> }
>
> //helpers
> /*
> * this function takes an uninitalized tpmobject, srk and context and
> initializes/loads it
> */
> TSS_RESULT context_init(TSS_HCONTEXT *phContext) {
> printf("entered context_init\n");
> TSS_RESULT result;
> //create context and connect to it
> if ((result = Tspi_Context_Create(phContext)) != TSS_SUCCESS) {
> return (result);
> }
> if ((result = Tspi_Context_Connect(*phContext, NULL )) != TSS_SUCCESS)
> {
> return (result);
> }
> DBG("leaving context_init", result);
> return result;
> }
>
> TSS_RESULT srk_tpm_init(TSS_HCONTEXT *phContext, TSS_HKEY *phSRK,
> char* srk_auth, TSS_HTPM *phTPM, char* owner_auth) {
> TSS_RESULT result;
> TSS_HPOLICY hSRKPolicy, hTPMPolicy;
> TSS_UUID UUID_SRK = TSS_UUID_SRK;
> if ((result = Tspi_Context_LoadKeyByUUID(*phContext,
> TSS_PS_TYPE_SYSTEM,
> UUID_SRK, phSRK)) != TSS_SUCCESS) {
> return (result);
> }
> //create policy object for the SRK and assign it
> if ((result = Tspi_Context_CreateObject(*phContext,
> TSS_OBJECT_TYPE_POLICY,
> TSS_POLICY_USAGE, &hSRKPolicy)) != TSS_SUCCESS) {
> return (result);
> }
> if ((result = Tspi_Policy_SetSecret(hSRKPolicy, TSS_SECRET_MODE_PLAIN,
> strlen(srk_auth), (BYTE *) srk_auth)) != TSS_SUCCESS)
> {
> return (result);
> }
> if ((result = Tspi_Policy_AssignToObject(hSRKPolicy, *phSRK)) !=
> TSS_SUCCESS) {
> return (result);
> }
>
> if ((result = Tspi_Context_GetTpmObject(*phContext, phTPM)) !=
> TSS_SUCCESS) {
> return (result);
> }
> if ((result = Tspi_Context_CreateObject(*phContext,
> TSS_OBJECT_TYPE_POLICY,
> TSS_POLICY_USAGE, &hTPMPolicy)) != TSS_SUCCESS) {
> return (result);
> }
> if ((result = Tspi_Policy_SetSecret(hTPMPolicy, TSS_SECRET_MODE_PLAIN,
> strlen(owner_auth), (BYTE *) owner_auth)) !=
> TSS_SUCCESS) {
> return (result);
> }
> if ((result = Tspi_Policy_AssignToObject(hTPMPolicy, *phTPM)) !=
> TSS_SUCCESS) {
> return (result);
> }
> return result;
> }
>
> /*
> * load an attestation key by its UUID, the context has to be connected
> and the srk has to be loaded
> */
> TSS_RESULT load_aik(TSS_HCONTEXT *hContext, TSS_HKEY *srk, TSS_HKEY
> *hAIK,
> TSS_UUID aik_uuid, char *aik_auth) {
> printf("entered load_aik_by_uuid\n");
> TSS_RESULT result;
> TSS_HPOLICY hAIKPolicy;
> if ((result = Tspi_Context_LoadKeyByUUID(*hContext,
> TSS_PS_TYPE_SYSTEM,
> aik_uuid, hAIK)) != TSS_SUCCESS) {
> return (result);
> }
> if ((result = Tspi_GetPolicyObject(*hAIK, TSS_POLICY_USAGE,
> &hAIKPolicy))
> != TSS_SUCCESS) {
> return (result);
> }
> //if using an AIK generated from the privacyCA.com code, it has NULL
> as
> plain secret
> if (aik_auth != NULL ) {
> if ((result = Tspi_Policy_SetSecret(hAIKPolicy,
> TSS_SECRET_MODE_PLAIN,
> strlen(aik_auth), (BYTE*) aik_auth)) !=
> TSS_SUCCESS) {
> return (result);
> }
> } else {
> if ((result = Tspi_Policy_SetSecret(hAIKPolicy,
> TSS_SECRET_MODE_PLAIN,
> 0, NULL )) != TSS_SUCCESS) {
> return (result);
> }
> }
> DBG("leaving load_aik_by_uuid", result);
> return (result);
> }
>
>
>
>
> ------------------------------------------------------------------------------
> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
> much more. Get web development skills now with LearnDevNow -
> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
> SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122812
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
011613-remove_deadlock_in_authorizing_close_transport_session.patch
Description: Binary data
011613-use_rt_transport_handle_in_unencrypted_trans_sessions.patch
Description: Binary data
------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612
_______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
