From 315541740fa9a22e95818e848554d7333dad6def Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Sun, 2 Jun 2024 14:28:18 +0200
Subject: [PATCH] FAPI: Fix usage of external PEM keys for PolicyAuthorize.

* PolicyAuthorize with an external imported PEM key did not work if
  the default nameAlg for the imported key (sha1) was not equal to
  the default nameAlg in the current fapi profile.
  The nameAlg from the profile is now used for the imported key.
* To prevent a possible double free after cleanup of a policy
  the NULL pointer is set for the reference to this policy.

Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
 src/tss2-fapi/api/Fapi_Import.c        | 2 ++
 src/tss2-fapi/fapi_crypto.c            | 4 ++--
 src/tss2-fapi/ifapi_policy_callbacks.c | 4 +++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/tss2-fapi/api/Fapi_Import.c b/src/tss2-fapi/api/Fapi_Import.c
index 5a5ef0b97..4da9a9337 100644
--- a/src/tss2-fapi/api/Fapi_Import.c
+++ b/src/tss2-fapi/api/Fapi_Import.c
@@ -204,6 +204,8 @@ Fapi_Import_Async(
                                             &extPubKey->public);
         goto_if_error(r, "Convert PEM public key into TPM public key.", cleanup_error);
 
+        extPubKey->public.publicArea.nameAlg = context->profiles.default_profile.nameAlg;
+
         command->new_object = *object;
         if (strncmp("/", path, 1) == 0)
             pos = 1;
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
index 76d24a4b2..d7ddc58e6 100644
--- a/src/tss2-fapi/fapi_crypto.c
+++ b/src/tss2-fapi/fapi_crypto.c
@@ -134,7 +134,7 @@ static const TPM2B_PUBLIC templateRsaSign = {
     .size = 0,
     .publicArea = {
         .type = TPM2_ALG_RSA,
-        .nameAlg = TPM2_ALG_SHA1,
+        .nameAlg = TPM2_ALG_SHA256,
         .objectAttributes = ( TPMA_OBJECT_SIGN_ENCRYPT ),
         .authPolicy = {
             .size = 0,
@@ -165,7 +165,7 @@ static const TPM2B_PUBLIC templateEccSign = {
     .size = 0,
     .publicArea = {
         .type = TPM2_ALG_ECC,
-        .nameAlg = TPM2_ALG_SHA1,
+        .nameAlg = TPM2_ALG_SHA256,
         .objectAttributes = ( TPMA_OBJECT_SIGN_ENCRYPT ),
         .authPolicy = {
             .size = 0,
diff --git a/src/tss2-fapi/ifapi_policy_callbacks.c b/src/tss2-fapi/ifapi_policy_callbacks.c
index 6e918452b..d94dd76b9 100644
--- a/src/tss2-fapi/ifapi_policy_callbacks.c
+++ b/src/tss2-fapi/ifapi_policy_callbacks.c
@@ -1470,8 +1470,10 @@ ifapi_exec_auth_policy(
 cleanup:
     SAFE_FREE(names);
     /* Check whether cleanup was executed. */
-    if (fapi_ctx->policy.policyutil_stack)
+    if (fapi_ctx->policy.policyutil_stack) {
         cleanup_policy_list(current_policy->policy_list);
+        current_policy->policy_list = NULL;
+    }
     return r;
 }