From 5c6e055ff358b2f2d11b6ba7c522d380efa50d7e Mon Sep 17 00:00:00 2001 From: Juergen Repp Date: Sun, 2 Jun 2024 14:28:18 +0200 Subject: [PATCH] FAPI: Fix usage of external PEM keys for PolicyAuthorize. 3.2.x * PolicyAuthorize with an external imported PEM key did not work if the default nameAlg for the imported key (sha1) was not equal to the default nameAlg in the current fapi profile. The nameAlg from the profile is now used for the imported key. * To prevent a possible double free after cleanup of a policy the NULL pointer is set for the reference to this policy. Signed-off-by: Juergen Repp --- src/tss2-fapi/api/Fapi_Import.c | 2 ++ src/tss2-fapi/fapi_crypto.c | 4 ++-- src/tss2-fapi/ifapi_policy_callbacks.c | 4 +++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/tss2-fapi/api/Fapi_Import.c b/src/tss2-fapi/api/Fapi_Import.c index a4468f64d..7106e1ab9 100644 --- a/src/tss2-fapi/api/Fapi_Import.c +++ b/src/tss2-fapi/api/Fapi_Import.c @@ -186,6 +186,8 @@ Fapi_Import_Async( &extPubKey->public); goto_if_error(r, "Convert PEM public key into TPM public key.", cleanup_error); + extPubKey->public.publicArea.nameAlg = context->profiles.default_profile.nameAlg; + command->new_object = *object; if (strncmp("/", path, 1) == 0) pos = 1; diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c index a237329d2..e56f72fa7 100644 --- a/src/tss2-fapi/fapi_crypto.c +++ b/src/tss2-fapi/fapi_crypto.c @@ -118,7 +118,7 @@ static const TPM2B_PUBLIC templateRsaSign = { .size = 0, .publicArea = { .type = TPM2_ALG_RSA, - .nameAlg = TPM2_ALG_SHA1, + .nameAlg = TPM2_ALG_SHA256, .objectAttributes = ( TPMA_OBJECT_SIGN_ENCRYPT ), .authPolicy = { .size = 0, @@ -149,7 +149,7 @@ static const TPM2B_PUBLIC templateEccSign = { .size = 0, .publicArea = { .type = TPM2_ALG_ECC, - .nameAlg = TPM2_ALG_SHA1, + .nameAlg = TPM2_ALG_SHA256, .objectAttributes = ( TPMA_OBJECT_SIGN_ENCRYPT ), .authPolicy = { .size = 0, diff --git a/src/tss2-fapi/ifapi_policy_callbacks.c b/src/tss2-fapi/ifapi_policy_callbacks.c index 3b5437214..a1228ea47 100644 --- a/src/tss2-fapi/ifapi_policy_callbacks.c +++ b/src/tss2-fapi/ifapi_policy_callbacks.c @@ -1362,8 +1362,10 @@ ifapi_exec_auth_policy( cleanup: SAFE_FREE(names); /* Check whether cleanup was executed. */ - if (fapi_ctx->policy.policyutil_stack) + if (fapi_ctx->policy.policyutil_stack) { cleanup_policy_list(current_policy->policy_list); + current_policy->policy_list = NULL; + } return r; }