Hey, On 18/01/2013 16:34, Kent Yoder wrote: > On Fri, Jan 18, 2013 at 8:03 AM, Michael Dorner > <[email protected]> wrote: >> Hey Kent, >> >> your first two patches fixed the hang on CloseSignTransport, and now I get >> an error-code back at least: >> >> 0x00003126: Invalid handle. >> >> Is there anything special one has to pay attention to when executing >> commands in the transport? > Ideally there shouldn't be, except for the rules around exclusive > sessions. Invalid handle could only be a few things here, the > context, the key or the usage policy for the key.
That's what I thought, but I can successfully execute a quote before the transport session, which uses the same context, key, and key policy and the same code to load it. I literally inserted the code right before the transport and it works. I am not using the exclusive session for now, because I do not need it badly. Yet, the error has to be connected to the transport by some means, because executing a quote with the exact same code, which works, if executed outside the transport, will also return a invalid handle (0x00003126) inside the transport. I guess it is the key, which is causing the trouble here. I am using a PLAIN secret btw, just in case that matters, although I think it shouldn't, because to me it seems to be an issue with the key-object. >> Applying your last patch however makes me unable to even connect to a >> context and returns: >> >> 0x00002004: Internal Software Error > This might be that you're linking against a trousers < 0.3.10 tspi > library and trying to connect to a 0.3.10 daemon. Well since I had to compile a new trousers, I figured it would be easier to use a trousers 0.3.10 source to avoid any patch-issues, which may arise from version differences. I used the same source in two different directories to apply the first two patches respectively these two plus the last one to generate the different versions. The first one works, the latter one doesn't and throws the error. I even rebooted the system, not only restarted tcsd, after the install to check if it works, but it does not. Just to note it: the error occurs on context connect, create works. Michael > Kent > >> I haven't had time to check, if it is a simple error or what causes it, so I >> can't say much more right now, other than, that it creates an error. >> >> Thank you for your help, >> >> Michael >> >> >> >> On 17/01/2013 23:27, Kent Yoder wrote: >>> On Thu, Jan 17, 2013 at 12:59 PM, Kent Yoder <[email protected]> wrote: >>>>> I'm interested to know what you see in your testcase after applying >>>>> these patches. I get a 0x22 (invalid auth handle) return code from >>>>> Tspi_Context_CloseSignTransport, which I can't yet explain. I'm on an >>>>> STM TPM here. >>>> Ok, I see what's happening now. The code sets up an exclusive >>>> transport session, which means that while its open, any TPM command >>>> that executes outside the TS will force a close of the TS. This >>>> includes commands sent down by the tcsd during normal operations, for >>>> things like asking the TPM which keys it has loaded. This is what >>>> happens in this case, the tcsd asks the TPM which keys it has loaded >>>> during key management, terminating the session before close. Because >>>> there's a signing key involved in closing and signing the session >>>> hash, this might *always* happen. :-( >>> Got a fix for you. :-) Please test the attached patch. Also make >>> sure you've set >>> >>> enforce_exclusive_transport = 1 >>> >>> in /etc/tcsd.conf, so that it doesn't ignore the fact that you want an >>> exclusive session. >>> >>> Thanks, >>> Kent >>> >>>> I've opened a defect against the tcsd [1] to look into better support >>>> for ETS. >>>> >>>> Kent >>>> >>>> [1] >>>> https://sourceforge.net/tracker/?func=detail&aid=3601290&group_id=126012&atid=704358 >>>> >>>> >>>>> Kent >>>>> >>>>>> fairly sure, that the key I am using (which is an AIK) has been loaded >>>>>> correctly, and that I correctly initialized the validation structure as >>>>>> well as the context, because I can quote within the same context using >>>>>> the same code for initializing them. >>>>>> >>>>>> I am using: >>>>>> >>>>>> Ubuntu 11.04 (have to for compatibility reasons with other software) >>>>>> trousers0.3.5-2_i386.deb (haven't seen anything on the update logs, >>>>>> that >>>>>> would possibly fix this in future versions) >>>>>> Atmel TPM v1.2 (capabilities include one transport session) >>>>>> gcc 4.5.2 >>>>>> >>>>>> I will attach a piece of code to the bottom, which produces the error >>>>>> with my system setup. I cleaned it from any unrelated code and at the >>>>>> moment it is not executing anything within the transport. However the >>>>>> same problem occurs, when executing TPM-commands during the transport. >>>>>> >>>>>> Calling >>>>>> >>>>>> gcc -ltspi -Wall -o ttest cleanTransportCall.c >>>>>> >>>>>> on my source file should give no warning, or at least I do not get any. >>>>>> >>>>>> Best regards, >>>>>> >>>>>> Michael Dorner >>>>>> >>>>>> >>>>>> >>>>>> ########### Code for >>>>>> cleanTransportCall.c:############################## >>>>>> >>>>>> /* >>>>>> * cleanTransportCall.c >>>>>> * >>>>>> * Created on: Jan 7, 2013 >>>>>> * Author: michaeldorner >>>>>> * Purpose: Bugreport CloseSignTransport >>>>>> * >>>>>> */ >>>>>> #include <stdio.h> >>>>>> #include <string.h> >>>>>> #include <stdlib.h> >>>>>> #include <sys/types.h> >>>>>> #include <tss/platform.h> >>>>>> #include <tss/tspi.h> >>>>>> #include <trousers/trousers.h> >>>>>> //challener debug macro (from tutorial) >>>>>> #define DBG(message,tResult)printf("(Line%d, %s)%s returned 0x%08x. %s >>>>>> \n", __LINE__,__func__,message, tResult, >>>>>> (char*)Trspi_Error_String(tResult)) >>>>>> >>>>>> //declarations, supporting only plaintext secrets here >>>>>> TSS_RESULT context_init(TSS_HCONTEXT *phContext); >>>>>> TSS_RESULT srk_tpm_init(TSS_HCONTEXT *phContext, TSS_HKEY *phSRK, >>>>>> char* srk_auth, TSS_HTPM *phTPM, char* owner_auth); >>>>>> TSS_RESULT load_aik(TSS_HCONTEXT *hContext, TSS_HKEY *srk, TSS_HKEY >>>>>> *hAIK, >>>>>> TSS_UUID aik_uuid, char* aik_auth); >>>>>> int main(int argc, char **agrv) { >>>>>> printf("entered main\n"); >>>>>> TSS_HCONTEXT hContext; >>>>>> TSS_HTPM hTPM; >>>>>> TSS_HKEY hSRK, hAIKey; >>>>>> TSS_VALIDATION vData; >>>>>> TSS_RESULT result; >>>>>> BYTE nonce[20]; >>>>>> int size = 20; >>>>>> //modify this code to select own aik >>>>>> TSS_UUID aik_uuid = { 0, 0, 0, 0, 0, { 0, 0, 0, 0, 0, 12 } }; >>>>>> if ((result = context_init(&hContext)) != TSS_SUCCESS) { >>>>>> exit(result); >>>>>> } >>>>>> if ((result = srk_tpm_init(&hContext, &hSRK, "password", >>>>>> &hTPM, >>>>>> "password")) >>>>>> != TSS_SUCCESS) { >>>>>> exit(result); >>>>>> } >>>>>> vData.ulExternalDataLength = size; >>>>>> vData.rgbExternalData = nonce; >>>>>> if ((result = load_aik(&hContext, &hSRK, &hAIKey, aik_uuid, >>>>>> NULL )) >>>>>> != TSS_SUCCESS) { >>>>>> exit(result); >>>>>> } >>>>>> //set the nonce as external data >>>>>> printf("starting transport session\n"); >>>>>> if ((result = Tspi_SetAttribUint32(hContext, >>>>>> TSS_TSPATTRIB_CONTEXT_TRANSPORT, >>>>>> TSS_TSPATTRIB_CONTEXTTRANS_CONTROL, >>>>>> TSS_TSPATTRIB_ENABLE_TRANSPORT)) != >>>>>> TSS_SUCCESS) { >>>>>> exit(result); >>>>>> } >>>>>> if ((result = Tspi_SetAttribUint32(hContext, >>>>>> TSS_TSPATTRIB_CONTEXT_TRANSPORT, >>>>>> TSS_TSPATTRIB_CONTEXTTRANS_MODE, >>>>>> >>>>>> TSS_TSPATTRIB_TRANSPORT_NO_DEFAULT_ENCRYPTION)) != TSS_SUCCESS) { >>>>>> exit(result); >>>>>> } >>>>>> if ((result = Tspi_SetAttribUint32(hContext, >>>>>> TSS_TSPATTRIB_CONTEXT_TRANSPORT, >>>>>> TSS_TSPATTRIB_CONTEXTTRANS_MODE, >>>>>> TSS_TSPATTRIB_TRANSPORT_EXCLUSIVE)) != >>>>>> TSS_SUCCESS) { >>>>>> exit(result); >>>>>> } >>>>>> if ((result = Tspi_SetAttribUint32(hContext, >>>>>> TSS_TSPATTRIB_CONTEXT_TRANSPORT, >>>>>> TSS_TSPATTRIB_CONTEXTTRANS_MODE, >>>>>> >>>>>> TSS_TSPATTRIB_TRANSPORT_AUTHENTIC_CHANNEL)) != TSS_SUCCESS) { >>>>>> exit(result); >>>>>> } >>>>>> //encapsulated commands start >>>>>> >>>>>> >>>>>> >>>>>> //encapsulated commands end >>>>>> printf("calling closeSignTransport\n"); >>>>>> if ((result = Tspi_Context_CloseSignTransport(hContext, >>>>>> hAIKey, >>>>>> &vData)) >>>>>> != TSS_SUCCESS) { >>>>>> DBG("closing transport", result); >>>>>> exit(result); >>>>>> } >>>>>> Tspi_Context_FreeMemory(hContext, NULL); >>>>>> Tspi_Context_Close(hContext); >>>>>> DBG("leaving main", result); >>>>>> exit(result); >>>>>> } >>>>>> >>>>>> //helpers >>>>>> /* >>>>>> * this function takes an uninitalized tpmobject, srk and context and >>>>>> initializes/loads it >>>>>> */ >>>>>> TSS_RESULT context_init(TSS_HCONTEXT *phContext) { >>>>>> printf("entered context_init\n"); >>>>>> TSS_RESULT result; >>>>>> //create context and connect to it >>>>>> if ((result = Tspi_Context_Create(phContext)) != TSS_SUCCESS) >>>>>> { >>>>>> return (result); >>>>>> } >>>>>> if ((result = Tspi_Context_Connect(*phContext, NULL )) != >>>>>> TSS_SUCCESS) >>>>>> { >>>>>> return (result); >>>>>> } >>>>>> DBG("leaving context_init", result); >>>>>> return result; >>>>>> } >>>>>> >>>>>> TSS_RESULT srk_tpm_init(TSS_HCONTEXT *phContext, TSS_HKEY *phSRK, >>>>>> char* srk_auth, TSS_HTPM *phTPM, char* owner_auth) { >>>>>> TSS_RESULT result; >>>>>> TSS_HPOLICY hSRKPolicy, hTPMPolicy; >>>>>> TSS_UUID UUID_SRK = TSS_UUID_SRK; >>>>>> if ((result = Tspi_Context_LoadKeyByUUID(*phContext, >>>>>> TSS_PS_TYPE_SYSTEM, >>>>>> UUID_SRK, phSRK)) != TSS_SUCCESS) { >>>>>> return (result); >>>>>> } >>>>>> //create policy object for the SRK and assign it >>>>>> if ((result = Tspi_Context_CreateObject(*phContext, >>>>>> TSS_OBJECT_TYPE_POLICY, >>>>>> TSS_POLICY_USAGE, &hSRKPolicy)) != >>>>>> TSS_SUCCESS) { >>>>>> return (result); >>>>>> } >>>>>> if ((result = Tspi_Policy_SetSecret(hSRKPolicy, >>>>>> TSS_SECRET_MODE_PLAIN, >>>>>> strlen(srk_auth), (BYTE *) srk_auth)) != >>>>>> TSS_SUCCESS) { >>>>>> return (result); >>>>>> } >>>>>> if ((result = Tspi_Policy_AssignToObject(hSRKPolicy, *phSRK)) >>>>>> != >>>>>> TSS_SUCCESS) { >>>>>> return (result); >>>>>> } >>>>>> >>>>>> if ((result = Tspi_Context_GetTpmObject(*phContext, phTPM)) != >>>>>> TSS_SUCCESS) { >>>>>> return (result); >>>>>> } >>>>>> if ((result = Tspi_Context_CreateObject(*phContext, >>>>>> TSS_OBJECT_TYPE_POLICY, >>>>>> TSS_POLICY_USAGE, &hTPMPolicy)) != >>>>>> TSS_SUCCESS) { >>>>>> return (result); >>>>>> } >>>>>> if ((result = Tspi_Policy_SetSecret(hTPMPolicy, >>>>>> TSS_SECRET_MODE_PLAIN, >>>>>> strlen(owner_auth), (BYTE *) owner_auth)) != >>>>>> TSS_SUCCESS) { >>>>>> return (result); >>>>>> } >>>>>> if ((result = Tspi_Policy_AssignToObject(hTPMPolicy, *phTPM)) >>>>>> != >>>>>> TSS_SUCCESS) { >>>>>> return (result); >>>>>> } >>>>>> return result; >>>>>> } >>>>>> >>>>>> /* >>>>>> * load an attestation key by its UUID, the context has to be >>>>>> connected >>>>>> and the srk has to be loaded >>>>>> */ >>>>>> TSS_RESULT load_aik(TSS_HCONTEXT *hContext, TSS_HKEY *srk, TSS_HKEY >>>>>> *hAIK, >>>>>> TSS_UUID aik_uuid, char *aik_auth) { >>>>>> printf("entered load_aik_by_uuid\n"); >>>>>> TSS_RESULT result; >>>>>> TSS_HPOLICY hAIKPolicy; >>>>>> if ((result = Tspi_Context_LoadKeyByUUID(*hContext, >>>>>> TSS_PS_TYPE_SYSTEM, >>>>>> aik_uuid, hAIK)) != TSS_SUCCESS) { >>>>>> return (result); >>>>>> } >>>>>> if ((result = Tspi_GetPolicyObject(*hAIK, TSS_POLICY_USAGE, >>>>>> &hAIKPolicy)) >>>>>> != TSS_SUCCESS) { >>>>>> return (result); >>>>>> } >>>>>> //if using an AIK generated from the privacyCA.com code, it >>>>>> has NULL as >>>>>> plain secret >>>>>> if (aik_auth != NULL ) { >>>>>> if ((result = Tspi_Policy_SetSecret(hAIKPolicy, >>>>>> TSS_SECRET_MODE_PLAIN, >>>>>> strlen(aik_auth), (BYTE*) aik_auth)) >>>>>> != TSS_SUCCESS) { >>>>>> return (result); >>>>>> } >>>>>> } else { >>>>>> if ((result = Tspi_Policy_SetSecret(hAIKPolicy, >>>>>> TSS_SECRET_MODE_PLAIN, >>>>>> 0, NULL )) != TSS_SUCCESS) { >>>>>> return (result); >>>>>> } >>>>>> } >>>>>> DBG("leaving load_aik_by_uuid", result); >>>>>> return (result); >>>>>> } >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and >>>>>> much more. Get web development skills now with LearnDevNow - >>>>>> 350+ hours of step-by-step video tutorials by Microsoft MVPs and >>>>>> experts. >>>>>> SALE $99.99 this month only -- learn more at: >>>>>> http://p.sf.net/sfu/learnmore_122812 >>>>>> _______________________________________________ >>>>>> TrouSerS-users mailing list >>>>>> [email protected] >>>>>> https://lists.sourceforge.net/lists/listinfo/trousers-users >> > ------------------------------------------------------------------------------ > Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and > much more. Get web development skills now with LearnDevNow - > 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. > SALE $99.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122812 > _______________________________________________ > TrouSerS-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/trousers-users ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812 _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
