_("This version of OpenConnect was built without TPM2 support\n"));
return -EINVAL;
#else
- ret = load_tpm2_key(vpninfo, &fdata, &pkey, &pkey_sig);
+ ret = load_tpm2_key(vpninfo, &fdata, password, &pkey, &pkey_sig);
if (ret)
goto out;
void release_tpm1_ctx(struct openconnect_info *info);
int load_tpm2_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
+ const char *password,
gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig);
void release_tpm2_ctx(struct openconnect_info *info);
-int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig,
+int install_tpm2_key(struct openconnect_info *vpninfo,
+ const char *password,
+ gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig,
unsigned int parent, int emptyauth, int legacy,
gnutls_datum_t *privdata, gnutls_datum_t *pubdata);
}
int load_tpm2_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
+ const char *password,
gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig)
{
gnutls_datum_t asn1, pubdata, privdata;
int err, ret = -EINVAL;
const asn1_static_node *asn1tab;
+ if (vpninfo->tpm2) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("TPM2 is in use.\n"));
+ return -EBUSY;
+ }
+
err = gnutls_pem_base64_decode_alloc("TSS2 PRIVATE KEY", fdata, &asn1);
if (!err) {
asn1tab = tpmkey_asn1_tab;
/* Now we've extracted what we need from the ASN.1, invoke the
* actual TPM2 code (whichever implementation we end up with */
- ret = install_tpm2_key(vpninfo, pkey, pkey_sig, parent, emptyauth,
+ ret = install_tpm2_key(vpninfo, password,
+ pkey, pkey_sig, parent, emptyauth,
asn1tab == tpmkey_asn1_tab_old, &privdata, &pubdata);
if (ret < 0)
goto out_tpmkey;
TPM2B_PRIVATE priv;
TPM2B_DIGEST userauth;
TPM2B_DIGEST ownerauth;
+ char *key_pass;
unsigned int need_userauth:1;
unsigned int need_ownerauth:1;
unsigned int did_ownerauth:1;
{
TSS2_RC r;
- if (vpninfo->tpm2->need_userauth || vpninfo->cert_password) {
+ if (vpninfo->tpm2->need_userauth || vpninfo->tpm2->key_pass) {
char *pass = NULL;
- if (vpninfo->cert_password) {
- pass = vpninfo->cert_password;
- vpninfo->cert_password = NULL;
+ if (vpninfo->tpm2->key_pass) {
+ pass = vpninfo->tpm2->key_pass;
+ vpninfo->tpm2->key_pass = NULL;
} else {
int err = request_passphrase(vpninfo, "openconnect_tpm2_key",
&pass, _("Enter TPM2 key password:"));
return ret;
}
-int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig,
+int install_tpm2_key(struct openconnect_info *vpninfo,
+ const char *password,
+ gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig,
unsigned int parent, int emptyauth, int legacy, gnutls_datum_t *privdata, gnutls_datum_t *pubdata)
{
TSS2_RC r;
if (!vpninfo->tpm2)
return -ENOMEM;
+ if (password && (vpninfo->tpm2->key_pass = strdup(password)) == NULL) {
+ free(vpninfo->tpm2);
+ return -ENOMEM;
+ }
+
vpninfo->tpm2->parent = parent;
r = Tss2_MU_TPM2B_PRIVATE_Unmarshal(privdata->data, privdata->size, NULL,
if (vpninfo->tpm2) {
clear_mem(vpninfo->tpm2->ownerauth.buffer, sizeof(vpninfo->tpm2->ownerauth.buffer));
clear_mem(vpninfo->tpm2->userauth.buffer, sizeof(vpninfo->tpm2->userauth.buffer));
+ free_pass(&vpninfo->tpm2->key_pass);
free(vpninfo->tpm2);
}
vpninfo->tpm2 = NULL;
return ret;
}
-int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig,
+int install_tpm2_key(struct openconnect_info *vpninfo,
+ const char *password,
+ gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig,
unsigned int parent, int emptyauth, int legacy,
gnutls_datum_t *privdata, gnutls_datum_t *pubdata)
{
BYTE *der;
INT32 dersize;
+ (void) password;
+
if (!parent_is_persistent(parent) &&
parent != TPM_RH_OWNER && parent != TPM_RH_NULL &&
parent != TPM_RH_ENDORSEMENT && parent != TPM_RH_PLATFORM) {
projects / users / dwmw2 / openconnect.git / commitdiff