From 72d9cb067ca89ec0aa203469d3410b8fb10c50bd Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw2@infradead.org>
Date: Wed, 10 Oct 2018 12:09:13 -0700
Subject: [PATCH] Allow parsing of permanent handles for TPM2 parents

These need to be returned in 5 bytes because they have the top
bit set and would otherwise be interpreted as negative.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---
 gnutls_tpm2.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/gnutls_tpm2.c b/gnutls_tpm2.c
index 618fdd18..e6ed14fb 100644
--- a/gnutls_tpm2.c
+++ b/gnutls_tpm2.c
@@ -207,22 +207,31 @@ int load_tpm2_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
 	    !strcmp(value_buf, "TRUE"))
 		emptyauth = 1;
 
-	memset(value_buf, 0, 4);
-	value_buflen = 4;
+	memset(value_buf, 0, 5);
+	value_buflen = 5;
 	err = asn1_read_value(tpmkey, "parent", value_buf, &value_buflen);
 	if (err == ASN1_ELEMENT_NOT_FOUND)
 		parent = 0x40000001; // RH_OWNER
 	else if (err != ASN1_SUCCESS) {
+	badparent:
 		vpn_progress(vpninfo, PRG_ERR,
 			     _("Failed to parse TPM2 key parent: %s\n"),
 			     asn1_strerror(err));
 		goto out_tpmkey;
 	} else {
-		int i;
+		int i = 0;
 		parent = 0;
 
-		for (i = 0; i < value_buflen; i++)
-			parent |= value_buf[value_buflen - i - 1] << (8 * i);
+		if (value_buflen == 5) {
+			if (value_buf[0])
+				goto badparent;
+			/* Skip the leading zero */
+			i++;
+		}
+		for ( ; i < value_buflen; i++) {
+			parent <<= 8;
+			parent |= value_buf[i];
+		}
 	}
 
 	if (decode_data(asn1_find_node(tpmkey, "pubkey"), &pubdata) < 0) {