FAPI: Fix handle initialization after flush.

The flushed handle is now set to ESYS_TR_NONE after flush to avoid wrong error messages related to flush which did occur after other errors. Signed-off-by: Juergen Repp <[email protected]>
JuergenReppSIT · Feb 16, 2024 · 1ed4935 · 1ed4935
1 parent cf22169
commit 1ed4935
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 4 deletions.
diff --git a/src/tss2-fapi/api/Fapi_ExportKey.c b/src/tss2-fapi/api/Fapi_ExportKey.c
@@ -430,6 +430,8 @@ Fapi_ExportKey_Finish(
             return_try_again(r);
             goto_if_error(r, "Flush key", cleanup);
 
+            command->key_object->public.handle = ESYS_TR_NONE;
+
             fallthrough;
 
         statecase(context->state, EXPORT_KEY_WAIT_FOR_FLUSH2);
@@ -438,6 +440,8 @@ Fapi_ExportKey_Finish(
             return_try_again(r);
             goto_if_error(r, "Flush key", cleanup);
 
+            command->handle_ext_key = ESYS_TR_NONE;
+
             fallthrough;
 
         statecase(context->state, EXPORT_KEY_CLEANUP)

diff --git a/src/tss2-fapi/api/Fapi_Import.c b/src/tss2-fapi/api/Fapi_Import.c
@@ -652,6 +652,8 @@ Fapi_Import_Finish(
             if (!command->parent_object->misc.key.persistent_handle) {
                 r = ifapi_flush_object(context, command->parent_object->public.handle);
                 return_try_again(r);
+
+                command->parent_object->public.handle = ESYS_TR_NONE;
                 ifapi_cleanup_ifapi_object(command->parent_object);
                 goto_if_error(r, "Flush key", error_cleanup);
             } else {

diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
@@ -1202,6 +1202,7 @@ ifapi_session_clean(FAPI_CONTEXT *context)
 {
     if (context->policy_session && context->policy_session != ESYS_TR_NONE) {
         Esys_FlushContext(context->esys, context->policy_session);
+        context->policy_session = ESYS_TR_NONE;
     }
     if (context->session1 != ESYS_TR_NONE && context->session1 != ESYS_TR_PASSWORD) {
         if (context->session1 == context->session2) {
@@ -2229,6 +2230,7 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses
 error:
     /* No policy call was executed session can be flushed */
     Esys_FlushContext(context->esys, *session);
+    *session = ESYS_TR_NONE;
     return r;
 }
 
@@ -3717,6 +3719,8 @@ ifapi_key_create(
             r = ifapi_flush_object(context, context->loadKey.handle);
             return_try_again(r);
             goto_if_error(r, "Flush key", error_cleanup);
+
+            context->loadKey.handle = ESYS_TR_NONE;
         }
 
         fallthrough;
@@ -4892,6 +4896,8 @@ ifapi_create_primary(
         return_try_again(r);
         goto_if_error(r, "Flush key", error_cleanup);
 
+        context->cmd.Key_Create.handle = ESYS_TR_NONE;
+
         fallthrough;
 
     statecase(context->cmd.Key_Create.state, KEY_CREATE_PRIMARY_WRITE_PREPARE);

diff --git a/src/tss2-fapi/ifapi_policy_execute.c b/src/tss2-fapi/ifapi_policy_execute.c
@@ -574,8 +574,10 @@ execute_policy_signed(
     SAFE_FREE(current_policy->buffer);
     SAFE_FREE(current_policy->pem_key);
     /* In error cases object might not have been flushed. */
-    if (current_policy->object_handle != ESYS_TR_NONE)
+    if (current_policy->object_handle != ESYS_TR_NONE)  {
         Esys_FlushContext(esys_ctx, current_policy->object_handle);
+        current_policy->object_handle = ESYS_TR_NONE;
+    }
     return r;
 }
 
@@ -745,9 +747,10 @@ execute_policy_authorize(
     }
 cleanup:
     /* In error cases object might not have been flushed. */
-    if (current_policy->object_handle != ESYS_TR_NONE)
+    if (current_policy->object_handle != ESYS_TR_NONE) {
         Esys_FlushContext(esys_ctx, current_policy->object_handle);
-
+        current_policy->object_handle = ESYS_TR_NONE;
+    }
     return r;
 }
 
@@ -955,6 +958,7 @@ execute_policy_secret(
     statecase(current_policy->state, POLICY_FLUSH_KEY);
         r = Esys_FlushContext_Finish(esys_ctx);
         try_again_or_error(r, "Flush key finish.");
+        current_policy->auth_handle = ESYS_TR_NONE;
         current_policy->state = POLICY_EXECUTE_INIT;
         break;
 
@@ -964,8 +968,9 @@ execute_policy_secret(
     return r;
 
  cleanup:
-    if (current_policy->flush_handle) {
+    if (current_policy->flush_handle && current_policy->auth_handle != ESYS_TR_NONE) {
          Esys_FlushContext(esys_ctx, current_policy->auth_handle);
+         current_policy->auth_handle = ESYS_TR_NONE;
     }
     SAFE_FREE(current_policy->nonceTPM);
     return r;