Skip to content
Permalink
Browse files
Fix TPM2 emptyauth handling
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
  • Loading branch information
dwmw2 committed Oct 8, 2018
1 parent 18337ca commit c166bb76c099adf5a8e2e054e725e2141275f191
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 8 deletions.
@@ -119,7 +119,7 @@ int load_tpm2_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
}

value_buflen = sizeof(value_buf);
if (!asn1_read_value(tpmkey, "emptyAuth", value_buf, &value_buflen) ||
if (!asn1_read_value(tpmkey, "emptyAuth", value_buf, &value_buflen) &&
!strcmp(value_buf, "TRUE"))
emptyauth = 1;

@@ -418,7 +418,7 @@ static int tpm2_ec_sign_fn(gnutls_privkey_t key, void *_vpninfo,
&tsig);
if (r == 0x9a2) {
vpn_progress(vpninfo, PRG_DEBUG,
_("TPM2 Esys_RSA_Decrypt auth failed\n"));
_("TPM2 Esys_Sign auth failed\n"));
vpninfo->tpm2->need_userauth = 1;
goto reauth;
}
@@ -491,12 +491,6 @@ int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, g
return -EINVAL;
};

if (!emptyauth) {
vpn_progress(vpninfo, PRG_ERR,
_("Cannot use TPM2 key with authentication\n"));
return -EINVAL;
}

vpninfo->tpm2 = calloc(1, sizeof(*vpninfo->tpm2));
if (!vpninfo->tpm2)
return -ENOMEM;
@@ -521,6 +515,8 @@ int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, g
goto err_out;
}

vpninfo->tpm2->need_userauth = !emptyauth;

gnutls_privkey_init(pkey);

switch(vpninfo->tpm2->pub.publicArea.type) {

0 comments on commit c166bb7

Please sign in to comment.