From 5dffc9b8250cc6ea837cd4567068fd7e00976068 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Sun, 2 Jun 2024 14:28:18 +0200
Subject: [PATCH] FAPI: Fix usage of external PEM keys for PolicyAuthorize.
 4.0.x

* PolicyAuthorize with an external imported PEM key did not work if
  the default nameAlg for the imported key (sha1) was not equal to
  the default nameAlg in the current fapi profile.
  The nameAlg from the profile is now used for the imported key.
* To prevent a possible double free after cleanup of a policy
  the NULL pointer is set for the reference to this policy.

Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
 src/tss2-fapi/api/Fapi_Import.c        | 2 ++
 src/tss2-fapi/fapi_crypto.c            | 4 ++--
 src/tss2-fapi/ifapi_policy_callbacks.c | 4 +++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/tss2-fapi/api/Fapi_Import.c b/src/tss2-fapi/api/Fapi_Import.c
index 14c2175ab..47aea2011 100644
--- a/src/tss2-fapi/api/Fapi_Import.c
+++ b/src/tss2-fapi/api/Fapi_Import.c
@@ -186,6 +186,8 @@ Fapi_Import_Async(
                                             &extPubKey->public);
         goto_if_error(r, "Convert PEM public key into TPM public key.", cleanup_error);
 
+        extPubKey->public.publicArea.nameAlg = context->profiles.default_profile.nameAlg;
+
         command->new_object = *object;
         if (strncmp("/", path, 1) == 0)
             pos = 1;
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
index 3f11b3d64..a5d48baf5 100644
--- a/src/tss2-fapi/fapi_crypto.c
+++ b/src/tss2-fapi/fapi_crypto.c
@@ -116,7 +116,7 @@ static const TPM2B_PUBLIC templateRsaSign = {
     .size = 0,
     .publicArea = {
         .type = TPM2_ALG_RSA,
-        .nameAlg = TPM2_ALG_SHA1,
+        .nameAlg = TPM2_ALG_SHA256,
         .objectAttributes = ( TPMA_OBJECT_SIGN_ENCRYPT ),
         .authPolicy = {
             .size = 0,
@@ -147,7 +147,7 @@ static const TPM2B_PUBLIC templateEccSign = {
     .size = 0,
     .publicArea = {
         .type = TPM2_ALG_ECC,
-        .nameAlg = TPM2_ALG_SHA1,
+        .nameAlg = TPM2_ALG_SHA256,
         .objectAttributes = ( TPMA_OBJECT_SIGN_ENCRYPT ),
         .authPolicy = {
             .size = 0,
diff --git a/src/tss2-fapi/ifapi_policy_callbacks.c b/src/tss2-fapi/ifapi_policy_callbacks.c
index 22b915bf8..2f73ba6b9 100644
--- a/src/tss2-fapi/ifapi_policy_callbacks.c
+++ b/src/tss2-fapi/ifapi_policy_callbacks.c
@@ -1466,8 +1466,10 @@ ifapi_exec_auth_policy(
 cleanup:
     SAFE_FREE(names);
     /* Check whether cleanup was executed. */
-    if (fapi_ctx->policy.policyutil_stack)
+    if (fapi_ctx->policy.policyutil_stack) {
         cleanup_policy_list(current_policy->policy_list);
+        current_policy->policy_list = NULL;
+    }
     return r;
 }