On Fri, Jan 18, 2013 at 8:03 AM, Michael Dorner <[email protected]> wrote: > Hey Kent, > > your first two patches fixed the hang on CloseSignTransport, and now I get > an error-code back at least: > > 0x00003126: Invalid handle. > > Is there anything special one has to pay attention to when executing > commands in the transport?
Ideally there shouldn't be, except for the rules around exclusive sessions. Invalid handle could only be a few things here, the context, the key or the usage policy for the key. > Applying your last patch however makes me unable to even connect to a > context and returns: > > 0x00002004: Internal Software Error This might be that you're linking against a trousers < 0.3.10 tspi library and trying to connect to a 0.3.10 daemon. Kent > I haven't had time to check, if it is a simple error or what causes it, so I > can't say much more right now, other than, that it creates an error. > > Thank you for your help, > > Michael > > > > On 17/01/2013 23:27, Kent Yoder wrote: >> >> On Thu, Jan 17, 2013 at 12:59 PM, Kent Yoder <[email protected]> wrote: >>>> >>>> I'm interested to know what you see in your testcase after applying >>>> these patches. I get a 0x22 (invalid auth handle) return code from >>>> Tspi_Context_CloseSignTransport, which I can't yet explain. I'm on an >>>> STM TPM here. >>> >>> Ok, I see what's happening now. The code sets up an exclusive >>> transport session, which means that while its open, any TPM command >>> that executes outside the TS will force a close of the TS. This >>> includes commands sent down by the tcsd during normal operations, for >>> things like asking the TPM which keys it has loaded. This is what >>> happens in this case, the tcsd asks the TPM which keys it has loaded >>> during key management, terminating the session before close. Because >>> there's a signing key involved in closing and signing the session >>> hash, this might *always* happen. :-( >> >> Got a fix for you. :-) Please test the attached patch. Also make >> sure you've set >> >> enforce_exclusive_transport = 1 >> >> in /etc/tcsd.conf, so that it doesn't ignore the fact that you want an >> exclusive session. >> >> Thanks, >> Kent >> >>> I've opened a defect against the tcsd [1] to look into better support >>> for ETS. >>> >>> Kent >>> >>> [1] >>> https://sourceforge.net/tracker/?func=detail&aid=3601290&group_id=126012&atid=704358 >>> >>> >>>> Kent >>>> >>>>> fairly sure, that the key I am using (which is an AIK) has been loaded >>>>> correctly, and that I correctly initialized the validation structure as >>>>> well as the context, because I can quote within the same context using >>>>> the same code for initializing them. >>>>> >>>>> I am using: >>>>> >>>>> Ubuntu 11.04 (have to for compatibility reasons with other software) >>>>> trousers0.3.5-2_i386.deb (haven't seen anything on the update logs, >>>>> that >>>>> would possibly fix this in future versions) >>>>> Atmel TPM v1.2 (capabilities include one transport session) >>>>> gcc 4.5.2 >>>>> >>>>> I will attach a piece of code to the bottom, which produces the error >>>>> with my system setup. I cleaned it from any unrelated code and at the >>>>> moment it is not executing anything within the transport. However the >>>>> same problem occurs, when executing TPM-commands during the transport. >>>>> >>>>> Calling >>>>> >>>>> gcc -ltspi -Wall -o ttest cleanTransportCall.c >>>>> >>>>> on my source file should give no warning, or at least I do not get any. >>>>> >>>>> Best regards, >>>>> >>>>> Michael Dorner >>>>> >>>>> >>>>> >>>>> ########### Code for >>>>> cleanTransportCall.c:############################## >>>>> >>>>> /* >>>>> * cleanTransportCall.c >>>>> * >>>>> * Created on: Jan 7, 2013 >>>>> * Author: michaeldorner >>>>> * Purpose: Bugreport CloseSignTransport >>>>> * >>>>> */ >>>>> #include <stdio.h> >>>>> #include <string.h> >>>>> #include <stdlib.h> >>>>> #include <sys/types.h> >>>>> #include <tss/platform.h> >>>>> #include <tss/tspi.h> >>>>> #include <trousers/trousers.h> >>>>> //challener debug macro (from tutorial) >>>>> #define DBG(message,tResult)printf("(Line%d, %s)%s returned 0x%08x. %s >>>>> \n", __LINE__,__func__,message, tResult, >>>>> (char*)Trspi_Error_String(tResult)) >>>>> >>>>> //declarations, supporting only plaintext secrets here >>>>> TSS_RESULT context_init(TSS_HCONTEXT *phContext); >>>>> TSS_RESULT srk_tpm_init(TSS_HCONTEXT *phContext, TSS_HKEY *phSRK, >>>>> char* srk_auth, TSS_HTPM *phTPM, char* owner_auth); >>>>> TSS_RESULT load_aik(TSS_HCONTEXT *hContext, TSS_HKEY *srk, TSS_HKEY >>>>> *hAIK, >>>>> TSS_UUID aik_uuid, char* aik_auth); >>>>> int main(int argc, char **agrv) { >>>>> printf("entered main\n"); >>>>> TSS_HCONTEXT hContext; >>>>> TSS_HTPM hTPM; >>>>> TSS_HKEY hSRK, hAIKey; >>>>> TSS_VALIDATION vData; >>>>> TSS_RESULT result; >>>>> BYTE nonce[20]; >>>>> int size = 20; >>>>> //modify this code to select own aik >>>>> TSS_UUID aik_uuid = { 0, 0, 0, 0, 0, { 0, 0, 0, 0, 0, 12 } }; >>>>> if ((result = context_init(&hContext)) != TSS_SUCCESS) { >>>>> exit(result); >>>>> } >>>>> if ((result = srk_tpm_init(&hContext, &hSRK, "password", >>>>> &hTPM, >>>>> "password")) >>>>> != TSS_SUCCESS) { >>>>> exit(result); >>>>> } >>>>> vData.ulExternalDataLength = size; >>>>> vData.rgbExternalData = nonce; >>>>> if ((result = load_aik(&hContext, &hSRK, &hAIKey, aik_uuid, >>>>> NULL )) >>>>> != TSS_SUCCESS) { >>>>> exit(result); >>>>> } >>>>> //set the nonce as external data >>>>> printf("starting transport session\n"); >>>>> if ((result = Tspi_SetAttribUint32(hContext, >>>>> TSS_TSPATTRIB_CONTEXT_TRANSPORT, >>>>> TSS_TSPATTRIB_CONTEXTTRANS_CONTROL, >>>>> TSS_TSPATTRIB_ENABLE_TRANSPORT)) != >>>>> TSS_SUCCESS) { >>>>> exit(result); >>>>> } >>>>> if ((result = Tspi_SetAttribUint32(hContext, >>>>> TSS_TSPATTRIB_CONTEXT_TRANSPORT, >>>>> TSS_TSPATTRIB_CONTEXTTRANS_MODE, >>>>> >>>>> TSS_TSPATTRIB_TRANSPORT_NO_DEFAULT_ENCRYPTION)) != TSS_SUCCESS) { >>>>> exit(result); >>>>> } >>>>> if ((result = Tspi_SetAttribUint32(hContext, >>>>> TSS_TSPATTRIB_CONTEXT_TRANSPORT, >>>>> TSS_TSPATTRIB_CONTEXTTRANS_MODE, >>>>> TSS_TSPATTRIB_TRANSPORT_EXCLUSIVE)) != >>>>> TSS_SUCCESS) { >>>>> exit(result); >>>>> } >>>>> if ((result = Tspi_SetAttribUint32(hContext, >>>>> TSS_TSPATTRIB_CONTEXT_TRANSPORT, >>>>> TSS_TSPATTRIB_CONTEXTTRANS_MODE, >>>>> >>>>> TSS_TSPATTRIB_TRANSPORT_AUTHENTIC_CHANNEL)) != TSS_SUCCESS) { >>>>> exit(result); >>>>> } >>>>> //encapsulated commands start >>>>> >>>>> >>>>> >>>>> //encapsulated commands end >>>>> printf("calling closeSignTransport\n"); >>>>> if ((result = Tspi_Context_CloseSignTransport(hContext, >>>>> hAIKey, >>>>> &vData)) >>>>> != TSS_SUCCESS) { >>>>> DBG("closing transport", result); >>>>> exit(result); >>>>> } >>>>> Tspi_Context_FreeMemory(hContext, NULL); >>>>> Tspi_Context_Close(hContext); >>>>> DBG("leaving main", result); >>>>> exit(result); >>>>> } >>>>> >>>>> //helpers >>>>> /* >>>>> * this function takes an uninitalized tpmobject, srk and context and >>>>> initializes/loads it >>>>> */ >>>>> TSS_RESULT context_init(TSS_HCONTEXT *phContext) { >>>>> printf("entered context_init\n"); >>>>> TSS_RESULT result; >>>>> //create context and connect to it >>>>> if ((result = Tspi_Context_Create(phContext)) != TSS_SUCCESS) >>>>> { >>>>> return (result); >>>>> } >>>>> if ((result = Tspi_Context_Connect(*phContext, NULL )) != >>>>> TSS_SUCCESS) >>>>> { >>>>> return (result); >>>>> } >>>>> DBG("leaving context_init", result); >>>>> return result; >>>>> } >>>>> >>>>> TSS_RESULT srk_tpm_init(TSS_HCONTEXT *phContext, TSS_HKEY *phSRK, >>>>> char* srk_auth, TSS_HTPM *phTPM, char* owner_auth) { >>>>> TSS_RESULT result; >>>>> TSS_HPOLICY hSRKPolicy, hTPMPolicy; >>>>> TSS_UUID UUID_SRK = TSS_UUID_SRK; >>>>> if ((result = Tspi_Context_LoadKeyByUUID(*phContext, >>>>> TSS_PS_TYPE_SYSTEM, >>>>> UUID_SRK, phSRK)) != TSS_SUCCESS) { >>>>> return (result); >>>>> } >>>>> //create policy object for the SRK and assign it >>>>> if ((result = Tspi_Context_CreateObject(*phContext, >>>>> TSS_OBJECT_TYPE_POLICY, >>>>> TSS_POLICY_USAGE, &hSRKPolicy)) != >>>>> TSS_SUCCESS) { >>>>> return (result); >>>>> } >>>>> if ((result = Tspi_Policy_SetSecret(hSRKPolicy, >>>>> TSS_SECRET_MODE_PLAIN, >>>>> strlen(srk_auth), (BYTE *) srk_auth)) != >>>>> TSS_SUCCESS) { >>>>> return (result); >>>>> } >>>>> if ((result = Tspi_Policy_AssignToObject(hSRKPolicy, *phSRK)) >>>>> != >>>>> TSS_SUCCESS) { >>>>> return (result); >>>>> } >>>>> >>>>> if ((result = Tspi_Context_GetTpmObject(*phContext, phTPM)) != >>>>> TSS_SUCCESS) { >>>>> return (result); >>>>> } >>>>> if ((result = Tspi_Context_CreateObject(*phContext, >>>>> TSS_OBJECT_TYPE_POLICY, >>>>> TSS_POLICY_USAGE, &hTPMPolicy)) != >>>>> TSS_SUCCESS) { >>>>> return (result); >>>>> } >>>>> if ((result = Tspi_Policy_SetSecret(hTPMPolicy, >>>>> TSS_SECRET_MODE_PLAIN, >>>>> strlen(owner_auth), (BYTE *) owner_auth)) != >>>>> TSS_SUCCESS) { >>>>> return (result); >>>>> } >>>>> if ((result = Tspi_Policy_AssignToObject(hTPMPolicy, *phTPM)) >>>>> != >>>>> TSS_SUCCESS) { >>>>> return (result); >>>>> } >>>>> return result; >>>>> } >>>>> >>>>> /* >>>>> * load an attestation key by its UUID, the context has to be >>>>> connected >>>>> and the srk has to be loaded >>>>> */ >>>>> TSS_RESULT load_aik(TSS_HCONTEXT *hContext, TSS_HKEY *srk, TSS_HKEY >>>>> *hAIK, >>>>> TSS_UUID aik_uuid, char *aik_auth) { >>>>> printf("entered load_aik_by_uuid\n"); >>>>> TSS_RESULT result; >>>>> TSS_HPOLICY hAIKPolicy; >>>>> if ((result = Tspi_Context_LoadKeyByUUID(*hContext, >>>>> TSS_PS_TYPE_SYSTEM, >>>>> aik_uuid, hAIK)) != TSS_SUCCESS) { >>>>> return (result); >>>>> } >>>>> if ((result = Tspi_GetPolicyObject(*hAIK, TSS_POLICY_USAGE, >>>>> &hAIKPolicy)) >>>>> != TSS_SUCCESS) { >>>>> return (result); >>>>> } >>>>> //if using an AIK generated from the privacyCA.com code, it >>>>> has NULL as >>>>> plain secret >>>>> if (aik_auth != NULL ) { >>>>> if ((result = Tspi_Policy_SetSecret(hAIKPolicy, >>>>> TSS_SECRET_MODE_PLAIN, >>>>> strlen(aik_auth), (BYTE*) aik_auth)) >>>>> != TSS_SUCCESS) { >>>>> return (result); >>>>> } >>>>> } else { >>>>> if ((result = Tspi_Policy_SetSecret(hAIKPolicy, >>>>> TSS_SECRET_MODE_PLAIN, >>>>> 0, NULL )) != TSS_SUCCESS) { >>>>> return (result); >>>>> } >>>>> } >>>>> DBG("leaving load_aik_by_uuid", result); >>>>> return (result); >>>>> } >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and >>>>> much more. Get web development skills now with LearnDevNow - >>>>> 350+ hours of step-by-step video tutorials by Microsoft MVPs and >>>>> experts. >>>>> SALE $99.99 this month only -- learn more at: >>>>> http://p.sf.net/sfu/learnmore_122812 >>>>> _______________________________________________ >>>>> TrouSerS-users mailing list >>>>> [email protected] >>>>> https://lists.sourceforge.net/lists/listinfo/trousers-users > > ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812 _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
