Skip to content

Commit

Permalink
FAPI: Fix usage of external PEM keys for PolicyAuthorize.
Browse files Browse the repository at this point in the history
* PolicyAuthorize with an external imported PEM key did not work if
  the default nameAlg for the imported key (sha1) was not equal to
  the default nameAlg in the current fapi profile.
  The nameAlg from the profile is now used for the imported key.
* To prevent a possible double free after cleanup of a policy
  the NULL pointer is set for the reference to this policy.

Signed-off-by: Juergen Repp <[email protected]>
  • Loading branch information
JuergenReppSIT committed Jun 10, 2024
1 parent 1db770a commit ba2ea64
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 3 deletions.
2 changes: 2 additions & 0 deletions src/tss2-fapi/api/Fapi_Import.c
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,8 @@ Fapi_Import_Async(
&extPubKey->public);
goto_if_error(r, "Convert PEM public key into TPM public key.", cleanup_error);

extPubKey->public.publicArea.nameAlg = context->profiles.default_profile.nameAlg;

command->new_object = *object;
if (strncmp("/", path, 1) == 0)
pos = 1;
Expand Down
4 changes: 2 additions & 2 deletions src/tss2-fapi/fapi_crypto.c
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ static const TPM2B_PUBLIC templateRsaSign = {
.size = 0,
.publicArea = {
.type = TPM2_ALG_RSA,
.nameAlg = TPM2_ALG_SHA1,
.nameAlg = TPM2_ALG_SHA256,
.objectAttributes = ( TPMA_OBJECT_SIGN_ENCRYPT ),
.authPolicy = {
.size = 0,
Expand Down Expand Up @@ -165,7 +165,7 @@ static const TPM2B_PUBLIC templateEccSign = {
.size = 0,
.publicArea = {
.type = TPM2_ALG_ECC,
.nameAlg = TPM2_ALG_SHA1,
.nameAlg = TPM2_ALG_SHA256,
.objectAttributes = ( TPMA_OBJECT_SIGN_ENCRYPT ),
.authPolicy = {
.size = 0,
Expand Down
4 changes: 3 additions & 1 deletion src/tss2-fapi/ifapi_policy_callbacks.c
Original file line number Diff line number Diff line change
Expand Up @@ -1470,8 +1470,10 @@ ifapi_exec_auth_policy(
cleanup:
SAFE_FREE(names);
/* Check whether cleanup was executed. */
if (fapi_ctx->policy.policyutil_stack)
if (fapi_ctx->policy.policyutil_stack) {
cleanup_policy_list(current_policy->policy_list);
current_policy->policy_list = NULL;
}
return r;
}

Expand Down

0 comments on commit ba2ea64

Please sign in to comment.