Add password parameter to load_tpm1

Signed-off-by: Tom Carroll <incentivedesign@gmail.com>

diff --git a/gnutls.c b/gnutls.c
index 0127dc05c39c7c2965cfa1af8b2ca9cbcc763392..2a8060ac3c3440ec6e1aa8ea3e9963fc0647adba 100644 (file)
--- a/gnutls.c
+++ b/gnutls.c
@@ -1663,7 +1663,7 @@ static int load_keycert(struct openconnect_info *vpninfo,
                             _("This version of OpenConnect was built without TPM support\n"));
                return -EINVAL;
 #else
-               ret = load_tpm1_key(vpninfo, &fdata, &pkey, &pkey_sig);
+               ret = load_tpm1_key(vpninfo, &fdata, password, &pkey, &pkey_sig);
                if (ret)
                        goto out;
 

diff --git a/gnutls.h b/gnutls.h
index dd382fa4d8dcd01cc35d0996fc97ee7c67d3d3b8..6d39f9be94ac94717245549ba6902f46dd854f9a 100644 (file)
--- a/gnutls.h
+++ b/gnutls.h
@@ -25,6 +25,7 @@
 #include "openconnect-internal.h"
 
 int load_tpm1_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
+                 const char *password,
                  gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig);
 void release_tpm1_ctx(struct openconnect_info *info);
 

diff --git a/gnutls_tpm.c b/gnutls_tpm.c
index 2bed077f8d5f91ca56a95cfa967d53c73958c45f..01abc3f046ae8d1611c51bf361d5982c7435f1b3 100644 (file)
--- a/gnutls_tpm.c
+++ b/gnutls_tpm.c
@@ -86,14 +86,22 @@ static int tpm_sign_fn(gnutls_privkey_t key, void *_vpninfo,
 }
 
 int load_tpm1_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
+                 const char *password,
                  gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig)
 {
        static const TSS_UUID SRK_UUID = TSS_UUID_SRK;
        gnutls_datum_t asn1;
        unsigned int tss_len;
        char *pass;
+       unsigned int tries;
        int ofs, err;
 
+       if (vpninfo->tpm1) {
+               vpn_progress(vpninfo, PRG_ERR,
+                            _("TPM1 is in use.\n"));
+               return -EBUSY;
+       }
+
        err = gnutls_pem_base64_decode_alloc("TSS KEY BLOB", fdata, &asn1);
        if (err) {
                vpn_progress(vpninfo, PRG_ERR,
@@ -163,9 +171,14 @@ int load_tpm1_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
                goto out_srk;
        }
 
-       pass = vpninfo->cert_password;
-       vpninfo->cert_password = NULL;
-       while (1) {
+       pass = NULL;
+       if (password && (pass = strdup(password)) == NULL) {
+               vpn_progress(vpninfo, PRG_ERR,
+                            _("Out of memory.\n"));
+               goto out_srk;
+       }
+
+       for (tries = 0; ; tries++) {
                static const char nullpass[20];
 
                /* We don't seem to get the error here... */
@@ -177,6 +190,9 @@ int load_tpm1_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
                        err = Tspi_Policy_SetSecret(vpninfo->tpm1->srk_policy,
                                                    TSS_SECRET_MODE_SHA1,
                                                    sizeof(nullpass), (BYTE *)nullpass);
+
+               free_pass(&pass);
+
                if (err) {
                        vpn_progress(vpninfo, PRG_ERR,
                                     _("Failed to set TPM PIN: %s\n"),
@@ -184,8 +200,6 @@ int load_tpm1_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
                        goto out_srkpol;
                }
 
-               free_pass(&pass);
-
                /* ... we get it here instead. */
                err = Tspi_Context_LoadKeyByBlob(vpninfo->tpm1->tpm_context, vpninfo->tpm1->srk,
                                                 tss_len, asn1.data + ofs,
@@ -193,7 +207,7 @@ int load_tpm1_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
                if (!err)
                        break;
 
-               if (pass)
+               if (tries > 0 || password)
                        vpn_progress(vpninfo, PRG_ERR,
                                     _("Failed to load TPM key blob: %s\n"),
                                     Trspi_Error_String(err));