From c166bb76c099adf5a8e2e054e725e2141275f191 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Fri, 5 Oct 2018 00:57:08 +0100 Subject: [PATCH] Fix TPM2 emptyauth handling Signed-off-by: David Woodhouse --- gnutls_tpm2.c | 2 +- gnutls_tpm2_esys.c | 10 +++------- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/gnutls_tpm2.c b/gnutls_tpm2.c index 6669451d..d2f2749f 100644 --- a/gnutls_tpm2.c +++ b/gnutls_tpm2.c @@ -119,7 +119,7 @@ int load_tpm2_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata, } value_buflen = sizeof(value_buf); - if (!asn1_read_value(tpmkey, "emptyAuth", value_buf, &value_buflen) || + if (!asn1_read_value(tpmkey, "emptyAuth", value_buf, &value_buflen) && !strcmp(value_buf, "TRUE")) emptyauth = 1; diff --git a/gnutls_tpm2_esys.c b/gnutls_tpm2_esys.c index 79da6189..d4989365 100644 --- a/gnutls_tpm2_esys.c +++ b/gnutls_tpm2_esys.c @@ -418,7 +418,7 @@ static int tpm2_ec_sign_fn(gnutls_privkey_t key, void *_vpninfo, &tsig); if (r == 0x9a2) { vpn_progress(vpninfo, PRG_DEBUG, - _("TPM2 Esys_RSA_Decrypt auth failed\n")); + _("TPM2 Esys_Sign auth failed\n")); vpninfo->tpm2->need_userauth = 1; goto reauth; } @@ -491,12 +491,6 @@ int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, g return -EINVAL; }; - if (!emptyauth) { - vpn_progress(vpninfo, PRG_ERR, - _("Cannot use TPM2 key with authentication\n")); - return -EINVAL; - } - vpninfo->tpm2 = calloc(1, sizeof(*vpninfo->tpm2)); if (!vpninfo->tpm2) return -ENOMEM; @@ -521,6 +515,8 @@ int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, g goto err_out; } + vpninfo->tpm2->need_userauth = !emptyauth; + gnutls_privkey_init(pkey); switch(vpninfo->tpm2->pub.publicArea.type) {