Rajiv Andrade wrote:
> Hi,
>
> I've been already taking a look at your previous email about this.
>
> The main issue is that the hNewPolicy parameter is described as:
> "Handle of the policy object _providing the new authorization data_."
>
> The authorization data prompt should be done using Tspi calls, I agree,
> but not necessarily inside Tspi_ChangeAuth.
>
> So, for the new policy you're submitting to Tspi_ChangeAuth you must
> call Tspi_Policy_SetSecret() with TSS_SECRET_MODE_POPUP mode set. Are
> you doing it this way? The same must be done with the currently assigned
> key object's policy. Let us know if it still doesn't work.
Correct, the code that we are trying to use is using TSS_SECRET_MODE_POPUP
for both the hTPM policy and also for the new usage policy. Tspi never prompts
for either one.
Ex:
if (set_object_policy(hTPM, TSS_SECRET_MODE_POPUP, 0, NULL))
return (ERR_FAIL);
/* new policy object */
ret = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_POLICY,
TSS_POLICY_USAGE, &hNewPolicy);
if (ret) {
print_error(ret, gettext("Create policy object"));
return (ERR_FAIL);
}
ret = Tspi_Policy_SetSecret(hNewPolicy, TSS_SECRET_MODE_POPUP,
0, NULL);
if (ret) {
print_error(ret, gettext("Set policy object secret"));
return (ERR_FAIL);
}
ret = Tspi_ChangeAuth(hTPM, NULL, hNewPolicy);
if (ret) {
print_error(ret, gettext("Change authorization"));
return (ERR_FAIL);
}
...
As a test, I have hacked the code in changeauth_owner to do the following
at the very beginning:
TCPA_SECRET secret;
TSS_HOBJECT hPolicy;
if ((result = obj_tpm_get_policy(hObjectToChange, TSS_POLICY_USAGE,
&hPolicy)))
return result;
if ((result = obj_policy_get_secret(hPolicy, TR_SECRET_CTX_NEW,
&secret)))
return result;
if ((result = obj_policy_get_secret(hNewPolicy, TR_SECRET_CTX_NEW,
&secret)))
return result;
if ((result = authsess_xsap_init(tspContext, hObjectToChange,
hNewPolicy,
TSS_AUTH_POLICY_REQUIRED,
TPM_ORD_ChangeAuthOwner,
TPM_ET_OWNER, &xsap)))
...
In the above code the "secret" data is ignored. obj_policy_get_secret is just
being
called because it is the only way to trigger the call to popup_GetSecret, the
result
is irrelevant because the actual auth data gets extracted by authsess_xsap_init.
This does indeed prompt for 2 Passwords and the command then succeeds, though I
don't think this is the correct solution. Also, doing it this way, the user
gets the
same prompt for both the current password and the new one so its not very
intuitive as to
which one is being prompted.
-Wyllys
>
> Thanks,
> Rajiv Andrade
> IBM LTC Security Development
>
> On Fri, 2009-10-16 at 15:23 -0400, Wyllys Ingersoll wrote:
>> Is it a bug that one cannot use the TSS_SECRET_MODE_POPUP mode for the
>> old and new policies when calling Tspi_ChangeAuth?
>>
>> Ideally, I would like to utilize the built-in prompting mechanisms
>> instead of having to write my program to prompt for the passwords,
>> but Tspi_ChangeAuth never calls the functions that cause the user
>> to be prompted, they just return "auth failed" if the POPUP method
>> is specified because the auth secrets never get initialized.
>>
>> This seems like a bug, the spec does not say that you cannot use
>> those modes with the policies involved in the ChangeAuth command.
>>
>> thoughts?
>>
>> thanks,
>> -Wyllys
>>
>> ------------------------------------------------------------------------------
>> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
>> is the only developer event you need to attend this year. Jumpstart your
>> developing skills, take BlackBerry mobile applications to market and stay
>> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
>> http://p.sf.net/sfu/devconference
>> _______________________________________________
>> TrouSerS-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/trousers-users
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> _______________________________________________
> TrouSerS-tech mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-tech
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
TrouSerS-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-tech
