Clean up persistent/generated handle checks a little

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/gnutls_tpm2_esys.c b/gnutls_tpm2_esys.c
index 282dcd25b094f1ba88ddc8d7be2fdc8fab8cb7a4..7bc43a3f992b0b2772b46648e7e59336f16c184a 100644 (file)
--- a/gnutls_tpm2_esys.c
+++ b/gnutls_tpm2_esys.c
@@ -229,7 +229,8 @@ static int init_tpm2_primary(struct openconnect_info *vpninfo,
        return 0;
 }
 
-#define parent_is_generated(vpninfo) (vpninfo->tpm2->parent >> TPM2_HR_SHIFT == TPM2_HT_PERMANENT)
+#define parent_is_generated(parent) ((parent) >> TPM2_HR_SHIFT == TPM2_HT_PERMANENT)
+#define parent_is_persistent(parent) ((parent) >> TPM2_HR_SHIFT == TPM2_HT_PERSISTENT)
 
 static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *keyHandle,
                         struct openconnect_info *vpninfo)
@@ -261,7 +262,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *keyHandle,
                goto error;
        }
 
-       if (parent_is_generated(vpninfo)) {
+       if (parent_is_generated(vpninfo->tpm2->parent)) {
                if (init_tpm2_primary(vpninfo, *ctx, &parentHandle))
                        goto error;
        } else {
@@ -322,7 +323,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *keyHandle,
                goto error;
        }
 
-       if (parent_is_generated(vpninfo)) {
+       if (parent_is_generated(vpninfo->tpm2->parent)) {
                r = Esys_FlushContext(*ctx, parentHandle);
                if (r) {
                        vpn_progress(vpninfo, PRG_ERR,
@@ -334,7 +335,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *keyHandle,
 
        return 0;
  error:
-       if (parent_is_generated(vpninfo) && parentHandle != ESYS_TR_NONE)
+       if (parent_is_generated(vpninfo->tpm2->parent) && parentHandle != ESYS_TR_NONE)
                Esys_FlushContext(*ctx, parentHandle);
        if (*keyHandle != ESYS_TR_NONE)
                Esys_FlushContext(*ctx, *keyHandle);
@@ -521,7 +522,7 @@ int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, g
 {
        TSS2_RC r;
 
-       if (parent >> TPM2_HR_SHIFT != TPM2_HT_PERSISTENT &&
+       if (!parent_is_persistent(parent) &&
            parent != TPM2_RH_OWNER && parent != TPM2_RH_NULL &&
            parent != TPM2_RH_ENDORSEMENT && parent != TPM2_RH_PLATFORM) {
                vpn_progress(vpninfo, PRG_ERR,

diff --git a/gnutls_tpm2_ibm.c b/gnutls_tpm2_ibm.c
index a7584532f42fad2e621fecaea7003e81090c693b..b983f81e4677ccc446456dda37ec0ba8073884d3 100644 (file)
--- a/gnutls_tpm2_ibm.c
+++ b/gnutls_tpm2_ibm.c
@@ -179,14 +179,9 @@ static void tpm2_flush_handle(TSS_CONTEXT *tssContext, TPM_HANDLE h)
                    TPM_RH_NULL, NULL, 0);
 }
 
-static void tpm2_flush_srk(TSS_CONTEXT *tssContext, TPM_HANDLE hSRK)
-{
-       /* only flush if it's a volatile key which we must have created */
-       if ((hSRK & 0xFF000000) == 0x80000000)
-               tpm2_flush_handle(tssContext, hSRK);
-}
-
 
+#define parent_is_generated(parent) ((parent) >> HR_SHIFT == TPM_HT_PERMANENT)
+#define parent_is_persistent(parent) ((parent) >> HR_SHIFT == TPM_HT_PERSISTENT)
 
 static TPM_RC tpm2_load_srk(TSS_CONTEXT *tssContext, TPM_HANDLE *h,
                            const char *auth, TPM_HANDLE hierarchy,
@@ -285,7 +280,7 @@ static TPM_HANDLE tpm2_load_key(struct openconnect_info *vpninfo, TSS_CONTEXT **
        memset(&in, 0, sizeof(in));
        memset(&out, 0, sizeof(out));
 
-       if (vpninfo->tpm2->parent >> HR_SHIFT == TPM_HT_PERSISTENT) {
+       if (parent_is_persistent(vpninfo->tpm2->parent)) {
                if (!pass) {
                        TPMT_PUBLIC pub;
                        rc = tpm2_readpublic(tssContext, vpninfo->tpm2->parent, &pub);
@@ -344,7 +339,8 @@ static TPM_HANDLE tpm2_load_key(struct openconnect_info *vpninfo, TSS_CONTEXT **
                key = out.objectHandle;
 
  out_flush_srk:
-       tpm2_flush_srk(tssContext, in.parentHandle);
+       if (parent_is_generated(vpninfo->tpm2->parent))
+               tpm2_flush_handle(tssContext, in.parentHandle);
  out:
        vpninfo->tpm2->parent_pass = pass;
        if (!key)
@@ -522,7 +518,7 @@ int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, g
        BYTE *der;
        INT32 dersize;
 
-       if (parent >> HR_SHIFT != TPM_HT_PERSISTENT &&
+       if (!parent_is_persistent(parent) &&
            parent != TPM_RH_OWNER && parent != TPM_RH_NULL &&
            parent != TPM_RH_ENDORSEMENT && parent != TPM_RH_PLATFORM) {
                vpn_progress(vpninfo, PRG_ERR,