Rajiv Andrade wrote:
> Hi Wyllys,
>
> Can you send me it with the whitespaces fine? Will apply it as soon as I
> get it. Did the patch I sent you about the Tspi_ChangeAuth issue work
> ok?
>
> Thanks tracking it back,
> Rajiv Andrade
> IBM LTC Security Development
My earlier fix was not quite right. There are a couple of problems with
the current auth_mgr code.
- when auth_mgr_release_auth_handle is called, it should NOT be trying to
flush the
auth handles from the TPM. If the "cont" flag is not set, then the TPM has
already
purged the handle. If the "cont" flag is TRUE, then the TPM still needs it.
If you
call FlushSpecific on an auth handle with the fContinueAuth == FALSE, the
TPM returns
an invalid handle error. It is basically a waste of time to try to purge
those handles.
- auth_mgr_close_context needs to flush any active handles that are associated
with the TCS context.
- The auth_mgr.auth_mapper[] records should be zeroed when a handle is
released or closed.
- The "auth_mgr.auth_mapper[].full" flag is probably redundant since you could
just as
easily check for a non-zero tpm_handle value to determine if the slot is
occupied, but I
left that alone for now.
Attached is a patch, I currently just have the code in
"auth_mgr_release_auth_handle"
blocked with "#if 0 ... #endif". I'm going to do some more testing.
I have not tried your Tspi_ChangeAuth fix yet.
-Wyllys
--- src/tcs/tcs_auth_mgr.c.old Wed Nov 11 11:28:36 2009
+++ src/tcs/tcs_auth_mgr.c Wed Nov 11 11:28:27 2009
@@ -28,7 +28,6 @@
MUTEX_DECLARE_EXTERN(tcsp_lock);
-
/* Note: The after taking the auth_mgr_lock in any of the functions below, the
* mem_cache_lock cannot be taken without risking a deadlock. So, the auth_mgr
* functions must be "self-contained" wrt locking */
@@ -80,7 +79,7 @@
TSS_RESULT
auth_mgr_save_ctx(TCS_CONTEXT_HANDLE hContext)
{
- TSS_RESULT result;
+ TSS_RESULT result = TSS_SUCCESS;
UINT32 i;
for (i = 0; i < auth_mgr.auth_mapper_size; i++) {
@@ -87,7 +86,6 @@
if (auth_mgr.auth_mapper[i].full == TRUE &&
auth_mgr.auth_mapper[i].swap == NULL &&
auth_mgr.auth_mapper[i].tcs_ctx != hContext) {
-
LogDebug("Calling TPM_SaveAuthContext for TCS CTX %x.
Swapping out: TCS %x "
"TPM %x", hContext,
auth_mgr.auth_mapper[i].tcs_ctx,
auth_mgr.auth_mapper[i].tpm_handle);
@@ -98,12 +96,11 @@
LogDebug("TPM_SaveAuthContext failed: 0x%x",
result);
return result;
}
-
- /* XXX should there be a break here? */
+ break;
}
}
- return TSS_SUCCESS;
+ return result;
}
/* if there's a TCS context waiting to get auth, wake it up or swap it in */
@@ -218,8 +215,8 @@
/* Ok, probably dealing with a 1.1 TPM */
if (result == TPM_E_BAD_ORDINAL)
- result = internal_TerminateHandle(
-
auth_mgr.auth_mapper[i].tpm_handle);
+ result = internal_TerminateHandle(
+ auth_mgr.auth_mapper[i].tpm_handle);
if (result == TCPA_E_INVALID_AUTHHANDLE) {
LogDebug("Tried to close an invalid
auth handle: %x",
@@ -228,10 +225,14 @@
LogDebug("TPM_TerminateHandle returned
%d", result);
}
}
+ /* clear the slot */
auth_mgr.open_auth_sessions--;
auth_mgr.auth_mapper[i].full = FALSE;
+ auth_mgr.auth_mapper[i].tpm_handle = 0;
+ auth_mgr.auth_mapper[i].tcs_ctx = 0;
LogDebug("released auth for TCS %x TPM %x", tcs_handle,
- auth_mgr.auth_mapper[i].tpm_handle);
+ auth_mgr.auth_mapper[i].tpm_handle);
+
auth_mgr_swap_in();
}
}
@@ -264,14 +265,15 @@
auth_mgr.auth_mapper[i].tpm_handle == tpm_auth_handle &&
auth_mgr.auth_mapper[i].tcs_ctx == tcs_handle) {
if (!cont) {
+#if 0
/* Only termininate when not in use anymore */
result =
TCSP_FlushSpecific_Common(auth_mgr.auth_mapper[i].tpm_handle,
- TPM_RT_AUTH);
+ TPM_RT_AUTH);
/* Ok, probably dealing with a 1.1 TPM */
if (result == TPM_E_BAD_ORDINAL)
- result = internal_TerminateHandle(
-
auth_mgr.auth_mapper[i].tpm_handle);
+ result = internal_TerminateHandle(
+ auth_mgr.auth_mapper[i].tpm_handle);
if (result == TCPA_E_INVALID_AUTHHANDLE) {
LogDebug("Tried to close an invalid
auth handle: %x",
@@ -279,12 +281,23 @@
} else if (result != TCPA_SUCCESS) {
LogDebug("TPM_TerminateHandle returned
%d", result);
}
+
+ if (result == TPM_SUCCESS) {
+ LogDebug("released auth for TCS %x TPM
%x",
+
auth_mgr.auth_mapper[i].tcs_ctx, tpm_auth_handle);
+ }
+#endif
+ /*
+ * Mark it as released, the "cont" flag
indicates
+ * that it is no longer needed.
+ */
+ auth_mgr.open_auth_sessions--;
+ auth_mgr.auth_mapper[i].full = FALSE;
+ auth_mgr.auth_mapper[i].tpm_handle = 0;
+ auth_mgr.auth_mapper[i].tcs_ctx = 0;
+ auth_mgr_swap_in();
}
- auth_mgr.open_auth_sessions--;
- auth_mgr.auth_mapper[i].full = FALSE;
- LogDebug("released auth for TCS %x TPM %x",
- auth_mgr.auth_mapper[i].tcs_ctx,
tpm_auth_handle);
- auth_mgr_swap_in();
+ /* If the cont flag is TRUE, we have to keep the handle
*/
}
}
@@ -563,4 +576,3 @@
return result;
}
-
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
TrouSerS-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-tech
