Commit c166bb76 authored by David Woodhouse's avatar David Woodhouse

Fix TPM2 emptyauth handling

Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
parent 18337ca1
......@@ -119,7 +119,7 @@ int load_tpm2_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
}
value_buflen = sizeof(value_buf);
if (!asn1_read_value(tpmkey, "emptyAuth", value_buf, &value_buflen) ||
if (!asn1_read_value(tpmkey, "emptyAuth", value_buf, &value_buflen) &&
!strcmp(value_buf, "TRUE"))
emptyauth = 1;
......
......@@ -418,7 +418,7 @@ static int tpm2_ec_sign_fn(gnutls_privkey_t key, void *_vpninfo,
&tsig);
if (r == 0x9a2) {
vpn_progress(vpninfo, PRG_DEBUG,
_("TPM2 Esys_RSA_Decrypt auth failed\n"));
_("TPM2 Esys_Sign auth failed\n"));
vpninfo->tpm2->need_userauth = 1;
goto reauth;
}
......@@ -491,12 +491,6 @@ int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, g
return -EINVAL;
};
if (!emptyauth) {
vpn_progress(vpninfo, PRG_ERR,
_("Cannot use TPM2 key with authentication\n"));
return -EINVAL;
}
vpninfo->tpm2 = calloc(1, sizeof(*vpninfo->tpm2));
if (!vpninfo->tpm2)
return -ENOMEM;
......@@ -521,6 +515,8 @@ int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, g
goto err_out;
}
vpninfo->tpm2->need_userauth = !emptyauth;
gnutls_privkey_init(pkey);
switch(vpninfo->tpm2->pub.publicArea.type) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment